b"                                                                              Issue Date\n                                                                                November 14, 2008\n                                                                              Audit Case Number\n                                                                                 2009-FO-0003\n\n\n\n\nTO:            John W. Cox, Chief Financial Officer, F\n\n\nFROM:\n               Thomas R. McEnanly, Director, Financial Audits Division, GAF\n\nSUBJECT: Additional Details to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years 2008 and\n         2007 Financial Statements\n\n                                            HIGHLIGHTS\n\n What We Audited and Why\n\n                 We are required to annually audit the consolidated financial statements of the U.S.\n                 Department of Housing and Urban Development (HUD) in accordance with the\n                 Chief Financial Officers Act of 1990, as amended. Our report on HUD\xe2\x80\x99s fiscal\n                 years 2008 and 2007 financial statements is included in HUD\xe2\x80\x99s Fiscal Year 2008\n                 Performance and Accountability Report. This report supplements our report on\n                 the results of our audit of HUD\xe2\x80\x99s principal financial statements for the fiscal years\n                 ending September 30, 2008, and September 30, 2007. Also provided are\n                 assessments of HUD\xe2\x80\x99s internal controls and our findings with respect to HUD\xe2\x80\x99s\n                 compliance with applicable laws, regulations, and government-wide policy\n                 requirements, and provisions of contracts and grant agreements.1\n\n\n    1\n       Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included\nin this report but are included in the accounting firm of Urbach Kahn and Werlin LLP\xe2\x80\x99s audit of FHA\xe2\x80\x99s financial\nstatements. That report has been published in our report, Audit of Federal Housing Administration Financial\nStatements for Fiscal Years 2008 and 2007 (2009-FO-0002, dated November 07, 2008).\n\n    Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD\ncomponent, are not included in this report but are included in the accounting firm of Carmichael, Brasher, Tuvell\nCompany\xe2\x80\x99s audit of Ginnie Mae\xe2\x80\x99s financial statements. That report has been published in our report, Audit of\nGovernment National Mortgage Association Financial Statements for Fiscal Years 2008 and 2007 (2009-FO-0001,\ndated November 07, 2008).\n\x0cWhat We Found\n\n\n                In our opinion, HUD\xe2\x80\x99s fiscal years 2008 and 2007 financial statements\n                were fairly presented. Our opinion on HUD\xe2\x80\x99s fiscal years 2008 and 2007\n                financial statements is reported in HUD\xe2\x80\x99S Fiscal Year 2008 Performance\n                and Accountability Report. The other auditors and our audit also\n                disclosed the following significant deficiencies in internal controls related\n                to the need to:\n                Continue improvements in the oversight and monitoring of subsidy\n                calculations and intermediaries program performance and promote full\n                utilization of Housing Choice Voucher funds;\n                Improve the processes for reviewing obligation balances;\n                Comply with federal financial management systems requirements;\n                Further strengthen controls over HUD\xe2\x80\x99s computing environment;\n                Improve personnel security practices for access to the Department\xe2\x80\x99s\n                critical financial systems;\n                Continue to enhance and modernize FHA\xe2\x80\x99s financial information systems;\n                and\n                Strengthen Ginnie Mae\xe2\x80\x99s monitoring and management controls in regard\n                to the mortgage-backed security program.\n\n         Our findings include the following four instances of non-compliance with\n         applicable laws and regulations:\n\n                HUD did not substantially comply with the Federal Financial Management\n                Improvement Act regarding system requirements.\n                HUD did not substantially comply with the Anti-deficiency Act;\n                FHA does not comply with the Credit Reform Act of 1990.\n                Ginnie Mae did not comply with the Federal Information Management\n                Security Act.\n\n         The audit also identified $122.9 million in excess obligations recorded in HUD\xe2\x80\x99s\n         records. We also are recommending that HUD seek legislative authority to\n         implement $1.4 billion in offsets against housing agencies\xe2\x80\x99 excess unusable\n         funding held in Net Restricted Assets Accounts at the housing agencies. These\n         amounts represent funds that HUD could put to better use.\n\n\n\n\n                                          2\n\x0cWhat We Recommend\n\n\n          Most of the issues described in this report represent long-standing weaknesses.\n          We understand that implementing sufficient change to mitigate these matters is a\n          multiyear task due to the complexity of the issues, insufficient information\n          technology (IT) systems funding, and other impediments to change. In this and in\n          prior years\xe2\x80\x99 audits of HUD\xe2\x80\x99s financial statements, we have made\n          recommendations to HUD\xe2\x80\x99s management to address these issues. Our\n          recommendations from the current audit, as well as those from prior years\xe2\x80\x99 audits\n          that remain open, are listed in Appendix B of this report.\n\n          For each recommendation without a management decision, please respond and\n          provide status reports in accordance with HUD Handbook 2000.06, REV-3.\n\n\nHUD\xe2\x80\x99s Response\n\n\n          The complete text of the agency\xe2\x80\x99s response can be found in Appendix E. This\n          response, along with additional informal comments, was considered in preparing\n          the final version of this report.\n\n\n\n\n                                          3\n\x0c                             TABLE OF CONTENTS\n\n\n\nHighlights                                                                 1\n\nInternal Control                                                           5\n\nCompliance with Laws and Regulations                                      30\n\nAppendixes\n   A. Objectives, Scope, and Methodology                                  33\n   B. Recommendations                                                     36\n   C. FFMIA Noncompliance, Responsible Program Offices, and Recommended   39\n      Remedial Actions\n   D. Schedule of Questioned Costs and Funds Put to Better Use            51\n   E. Agency Comments                                                     52\n   F. OIG Evaluation of Agency Comments                                   54\n\n\n\n\n                                        4\n\x0c                                   Internal Control\n\nSignificant Deficiency: HUD Management Must Continue to Improve\nOversight and Monitoring of Subsidy Calculations and Intermediaries\xe2\x80\x99\nProgram Performance and Promote Full Utilization of Housing Choice\nVoucher Funds\nUnder the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds\nthrough various grant and subsidy programs to multifamily project owners (both nonprofit and\nfor profit) and housing agencies. These intermediaries, acting for HUD, provide housing\nassistance to benefit primarily low-income families and individuals (households) that live in\npublic housing, Section 8 and Section 202/811 assisted housing, and Native American housing.\nIn fiscal year 2008, HUD spent about $28 billion to provide rent and operating subsidies that\nbenefited more than 4.8 million households.\n\nSince 1996, we have reported on weaknesses with the monitoring of the housing assistance\nprogram\xe2\x80\x99s delivery and the verification of subsidy payments. We focused on the impact these\nweaknesses had on HUD\xe2\x80\x99s ability to (1) ensure intermediaries are correctly calculating housing\nsubsidies and (2) verify tenant income and billings for subsidies. During the past several years,\nHUD has made progress in correcting this deficiency. In 2008, HUD continued utilizing the\ncomprehensive consolidated reviews in the Office of Public and Indian Housing\xe2\x80\x99s (PIH) efforts\nto address public housing agencies\xe2\x80\x99 (PHA) improper payments and other high-risk elements.\nHUD\xe2\x80\x99s continued commitment to the implementation of a comprehensive program to reduce\nerroneous payments will be essential to ensuring that HUD\xe2\x80\x99s intermediaries are properly carrying\nout their responsibility to administer assisted housing programs according to HUD requirements.\n\nThe Department has demonstrated improvements in its internal control structure to address the\nsignificant risk that HUD\xe2\x80\x99s intermediaries are not properly carrying out their responsibility to\nadminister assisted housing programs according to HUD requirements. HUD\xe2\x80\x99s increased and\nimproved monitoring has resulted in a significant decline in improper payment estimates over the\nlast five years. However, HUD needs to continue to place emphasis on its on-site monitoring\nand technical assistance to ensure that acceptable levels of performance and compliance are\nachieved and periodically assess the accuracy of intermediaries rent determinations, tenant\nincome verifications, and billings.\n\nTenant income is the primary factor affecting eligibility for housing assistance, the amount of\nassistance a family receives, and the amount of subsidy HUD pays. Generally, HUD\xe2\x80\x99s subsidy\npayment makes up the difference between 30 percent of a household\xe2\x80\x99s adjusted income and the\nhousing unit\xe2\x80\x99s actual rent or, under the Section 8 voucher program, a payment standard. The\nadmission of a household to these rental assistance programs and the size of the subsidy the\nhousehold receives depend directly on the household\xe2\x80\x99s self-reported income. However,\nsignificant amounts of excess subsidy payments occur because of errors in intermediaries\xe2\x80\x99 rent\ndeterminations and undetected, unreported, or underreported income. By overpaying rent\nsubsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds\nthat could have been used to subsidize other eligible families in need of assistance.\n\n\n\n                                                5\n\x0cHUD\xe2\x80\x99s Estimate of Erroneous Payments Decreased in\nFiscal Year 2008\n\n\n             The estimate of erroneous payments that HUD reports in its Performance and\n             Accountability Report relates to HUD\xe2\x80\x99s inability to ensure or verify the accuracy\n             of subsidy payments being determined and paid to assisted households. This\n             year\xe2\x80\x99s contracted study of HUD\xe2\x80\x99s three major assisted housing programs\n             estimated that the rent determination errors made by the intermediaries resulted in\n             substantial subsidy overpayments and underpayments. The study was based on\n             analyses of a statistical sample of tenant files, tenant interviews, and income\n             verification data for activity that occurred during fiscal year 2007. However, the\n             amounts reported in the study have been adjusted due to recent program structure\n             changes.\n\n             The Public Housing programs switched to Asset Management and began\n             calculating formula income for PHAs as noted in 24 CFR 990.195 Calculating\n             Formula Income. This change eliminated the 3 types of improper payment errors\n             for the Public Housing program. This new process was implemented in January\n             2007. Therefore for FY 2007 this process was in place for the last 3 quarters of\n             the year and HUD subsidy errors occurred only in the first quarter. Errors could\n             still be made by PHAs in their calculation of the amount of tenant rent or tenants\n             could still be under reporting their income, however beginning January 2007 this\n             no longer affected HUD\xe2\x80\x99s subsidy. The Quality Control (QC) study and Income\n             Match Reporting study estimated these errors for the entire fiscal year because\n             this information is useful to management of both PIH and the PHAs. However,\n             based on the conversion to asset management and the change in calculating\n             formula income becoming effective in January 2007, only 25 percent of the\n             amount calculated for the Administrator, Income Reporting, and Billing errors\n             should be reported for FY 2007. In addition, the establishment of a budget based\n             funding methodology was implemented for the Housing Choice Voucher Program\n             to eliminate the opportunity for billing errors in that program. Budget based\n             means that each PHA will have a set annual budget for vouchers to serve their\n             clients needs. The PHA will receive the annual budget in 12 equal monthly\n             payments \xe2\x80\x93 thus eliminating the need to bill HUD and eliminating the Billing\n             Error.\n\n             Based on the previously mentioned program structure changes, HUD is reporting\n             subsidy payment inconsistencies in which HUD incorrectly paid $671.5 million in\n             annual housing subsidies. This is a 30 percent decrease in the gross erroneous\n             payments in comparison to the prior year. The estimate of erroneous payments is\n             reported in HUD\xe2\x80\x99s Fiscal Year 2008 Performance and Accountability Report as\n             Other Accompanying Information and will reflect the adjusted error estimates.\n\n             The estimate of erroneous payments this year also includes overpaid subsidies\n             from underreported and unreported income and intermediaries\xe2\x80\x99 billings errors.\n\n\n                                              6\n\x0c      HUD estimated that housing subsidy overpayments from tenants misreporting\n      their income totaled an additional $249.8 million in overpayments during calendar\n      year 2007.\n\n      HUD did not conduct a billings study during fiscal year 2008. Therefore, the\n      results of prior year\xe2\x80\x99s study will carryover for this year\xe2\x80\x99s billings error estimate\n      and have been adjusted according to the previously mentioned program structural\n      changes. Based on the payment errors that were identified for the Office of\n      Housing\xe2\x80\x99s project-based Section 8 housing program, HUD reported an estimated\n      $59 million in program billings errors for fiscal year 2006. In addition, PIH\xe2\x80\x99s\n      billings error estimate has been reduced to zero for the Housing Choice Voucher\n      program.\n\n      Additionally, an operating subsidy estimate of $12.3 million was included in the\n      PIH billings estimate. Therefore, adding the Office of Housing\xe2\x80\x99s estimate of $59\n      million to the PIH estimate of $12.3 million for operating subsidy results in a\n      $71.3 million estimate of erroneous payments for billings errors.\n\n      In totality, HUD has reduced the combined gross improper rental housing\n      assistance payment estimates to $993 million in Fiscal Year 2007. This is a total\n      reduction of 35% in comparison to the prior year estimates.\n\n      In addition to the Rental Housing Integrity Improvement Project (RHIIP)-related\n      estimates, HUD performed a risk assessment update on one third of all HUD\n      programs exceeding $40 million in expenditures (except those associated with the\n      RHIIP) to determine whether they are susceptible to significant erroneous or\n      improper payments. The OCFO performed a risk assessment on nine of HUD\xe2\x80\x99s\n      funded activities (programs). The nine programs were updated and reevaluated\n      for the current risk assessment. Although individual program risk ratings for the\n      nine programs may have changed slightly, none of the programs evaluated were\n      considered susceptible to significant improper payments for fiscal year 2007, as\n      defined in OMB Circular A-123, Appendix C, Part 1.\n\n\n\nHUD Needs to Continue Initiatives to\nDetect Unreported Tenant Income\n\n\n      The computer matching agreement between HUD\xe2\x80\x99s Office of Housing and the\n      Department of Health and Human Services (HHS) for use of the National\n      Directory of New Hires in the Enterprise Income Verification system (EIV) was\n      finalized in fiscal year 2008. HUD successfully expanded its computer matching\n      program with the HHS data to all of its rental assistance programs (public\n      housing, housing vouchers, and project-based housing) when HUD s project-\n      based program gained access to the HHS database on January 15, 2008. The\n      other programs had gained access previously. HUD intends to issue a final rule\n      mandating the use of this matching data by the end of this calendar year.\n\n\n                                        7\n\x0c        EIV is a web-based system that compiles tenant income information and makes it\n        available online to HUD business partners to assist in determining accurate tenant\n        income as part of the process of setting rental subsidy. Currently, EIV matches\n        tenant data against Social Security Administration information, including Social\n        Security benefits and Supplemental Security Income, and with the HHS National\n        Directory of New Hires (NDNH) database, which provides information such as\n        wages, unemployment benefits, and W-4 (\xe2\x80\x9cnew hires\xe2\x80\x9d) data, on behalf of PIH and\n        Multifamily Housing programs. The EIV System is available to PHAs\n        nationwide and to Owner Administered project-based assistance programs, and all\n        are encouraged to use and implement the EIV System in their day-to-day\n        operations.\n\n        Additionally, the Department is also in the process of implementing the\n        Multifamily Housing Error Tracking Log (ETL) initiative. The ETL initiative\n        will document whether and to what extent owners are accurately, thoroughly, and\n        clearly determining family income and rents in the Office of Multifamily Housing\n        Subsidy Programs, and will track the specific dollar impact of income and rent\n        discrepancies and the corresponding resolution of such errors.\n\nHUD Needs to Continue Progress on RHIIP\nInitiatives to Monitor Program Administrators\n\n\n        HUD initiated the Rental Housing Integrity Improvement Project (RHIIP) as part\n        of an effort in fiscal year 2001 to develop tools and the capability to minimize\n        erroneous payments. This type of erroneous payments targeted includes the\n        excess rental subsidy caused by unreported and underreported tenant income.\n        Since our last report, HUD has continued to make progress addressing the\n        problems surrounding housing authorities\xe2\x80\x99 rental subsidy determinations,\n        underreported income, and assistance billings. However, HUD still needs to\n        ensure that it fully utilizes automated tools to detect rent subsidy processing\n        deficiencies and identify and measure erroneous payments.\n\n        During fiscal year 2006, HUD implemented a five year plan initiative to perform\n        consolidated reviews in order to reinforce the Office of Public and Indian\n        Housing\xe2\x80\x99s (PIH) effort in addressing public housing agencies (PHA) improper\n        payments and other high-risk elements. These reviews were also implemented to\n        ensure the continuation of the PIH\xe2\x80\x99s comprehensive monitoring and oversight of\n        PHAs. The five-year plan required to perform Tier 1 comprehensive reviews on\n        approximately 20 percent or 490 of the PHAs that manage 80 percent of HUD\xe2\x80\x99s\n        funds. According to the Fiscal Year 2008 Management Plan directive, PIH\n        identified 100 PHAs that receive 80 percent of HUD\xe2\x80\x99s funding for the priority\n        Tier 1 comprehensive reviews. Tier 2 comprehensive reviews of the remaining\n        PHAs were optional, depending upon each field office\xe2\x80\x99s resources. Tier 1\n        comprehensive reviews included rental integrity monitoring (RIM), RIM follow-\n        up on Corrective Action Plans (CAPs), EIV implementation and security, Section\n        8 Management Assessment Program (SEMAP) confirmatory reviews, SEMAP\n\n\n                                        8\n\x0cquality control reviews, Exigent Health & Safety (EH&S) spot-checks,\nManagement Assessment Subsystem (MASS) certifications, and civil rights\nlimited front-end reviews.\n\nDocumentation provided during our review showed that 101 Tier I reviews and 17\nTier II reviews were performed during fiscal year 2008. Because of the\ndeficiencies identified in the consolidated reviews, CAPs were implemented at 46\nPHAs from the Tier 1 and at 17 PHAs from the Tier II Reviews. At the end of\nour fieldwork, none of the CAPs from these reviews had been closed out.\nAdditionally, at the end of our fiscal year 2008 fieldwork we noted that 6 CAPs\nwere still open from the 2003-2004 RIM follow-up reviews. During our fiscal\nyear 2007 review, we determined that 6 of these CAPs were still open because the\nrespective PHA was either in receivership or in troubled status. HUD must\ncontinue to assure that CAPs are implemented and closed out, thereby assuring\nthat the systemic errors identified during the reviews were corrected.\n\nIn prior years, we reported that the Public Housing Information Center system\n(now known as the PIH Inventory Management System or (PIC-IMS))\ninformation was incomplete and/or inaccurate because housing authority reporting\nrequirements were discretionary. As a result PHAs have been mandated to\nsubmit 100 percent of their family records to HUD\xe2\x80\x99s Public Housing Information\nCenter system (Inventory Management System) Form 50058 Module. If PHAs do\nnot meet the minimum reporting rate of 95 percent at the time of their annual\nForm HUD 50058 reporting rate assessment they are subject to sanctions. During\nour field review at four field offices, we noted 41 PHAs that were not meeting the\nminimum 95 percent reporting rate. None of these PHAs were sanctioned during\n2008, HUD annually evaluates those PHAs not meeting the 95% requirement, this\nevaluation was postponed until April 2009 after the new PIC-IMS software is\ndeployed. Since HUD uses the tenant data from its Public Housing Information\nCenter system (Inventory Management System) for the income-matching program\nand program monitoring, it is essential that the database have complete and\naccurate tenant information. Therefore, until a more efficient and effective means\nof verifying the accuracy of the data is developed, HUD needs to continue to\nemphasize the importance of accurate reporting and proactively enforce sanctions\nagainst those PHAs that do not follow the requirement.\n\nHUD has made substantial progress in taking steps to reduce erroneous payments.\nHowever, HUD must continue its regular on-site and remote monitoring of the\nPHAs and use the results from the monitoring efforts to focus on corrective\nactions when needed. We are encouraged by the on-going actions to focus on\nimproving controls regarding income verification, as well as HUD\xe2\x80\x99S plans\nregarding CAPs, consolidated reviews, and the continual income and rent training\nfor HUD staff, owners, management agents, and PHAs.\n\n\n\n\n                                9\n\x0cPublic Housing Agencies Accumulation of Funds in the\nNet Restricted Asset Account\n\n\n          Congress, in an attempt to limit the cost of the Housing Choice Voucher Program\n          and to provide flexibility to the Public Housing Agencies (PHAs) in the\n          administration of available program funding, enacted provisions in the fiscal year\n          2005 Appropriation Act (Public Law 108-447), that significantly changed the way\n          HUD provides and monitors the subsidy paid to housing agencies. Starting\n          January 1, 2005, Congress changed the basis of the program funding from a \xe2\x80\x9cunit-\n          based\xe2\x80\x9d process to a \xe2\x80\x9cbudget-based\xe2\x80\x9d process that limits the Federal funding to a\n          fixed amount. Under the legislation, HUD records the funding allocated to the\n          PHA as an expense and no longer records a receivable for any under-utilized\n          funds because the public housing authorities retain and are expected to use the\n          funds in their entirety for authorized program activities and expenses within the\n          time allowed. Program guidance states that any budget authority provided to\n          PHAs that exceeds actual program expenses for the same period must be\n          maintained in a housing agencies\xe2\x80\x99 net restricted assets account. Although these\n          funds are retained by the PHA and not the Department, the Department has a\n          responsibility to ensure that these funds are properly accounted for and are used\n          for authorized program activities. HUD is also responsible for monitoring both\n          overutilization and underutilization of funds and for ensuring that appropriated\n          funds are being used to serve the maximum number of families. According to\n          HUD\xe2\x80\x99s records, as of June 30, 2008, the net restricted assets account has\n          increased to a balance of approximately $1.9 billion for 2,307 PHAs. Further, this\n          $1.9 billion in unused funding is the balance remaining after an offset of $723\n          million required by the Fiscal Year 2008 Appropriations Law. Of the $1.9 billion,\n          $1.4 billion has been categorized as unusable by the PHAs. The unusable portion\n          of the net restricted assets account balance represents the excess of the amount\n          that would be required to achieve 100 percent utilization of the vouchers awarded\n          to the PHAs for the calendar year.\n\n          The balance in this account has increased to this level because housing agencies\n          are not fully utilizing the housing choice voucher funds allocated. Due to\n          uncertainty over each year\xe2\x80\x99s funding allocation, PHAs have reduced their\n          spending in anticipation of the need to cover future costs from current resources.\n          Late enactment of appropriations has required PHAs to begin each year without\n          knowing their allocations. Also, the utilization of voucher funds are further\n          limited because program regulations prohibit a PHA from leasing more units than\n          those approved in its contract, even when there is a need and the resources are\n          available to increase the number of families being served. The lifting of these\n          leasing restrictions requires legislative action by Congress. HUD has proposed\n          such legislative change, but it has not been enacted.\n\n\n\n\n                                          10\n\x0cBelow Target Utilization Rates\n\n\n\n           We reviewed HUD\xe2\x80\x99s Section 8 Management Assessment Program (SEMAP)\n           Utilization Summary Report as of September 17, 2008. This report showed that\n           55 percent of the PHAs have utilization rates of less than 95 percent, which is\n           below the fiscal year 2004 rate of 98.5 percent achieved using the previous\n           funding mechanism and the Department\xe2\x80\x99s FY 2011 target utilization rate of 97\n           percent. We reviewed the dollar amount utilization rate from the Net Restricted\n           Assets Monitoring report. Our analysis of the report indicated that PHA\n           performance for FYs 2005 through 2007 resulted in a calculated utilization rates\n           of 96.0, 90.4, and 93.8 percent, respectively. HUD has acknowledged that\n           continued improvements in utilization are needed, and plans to continue to link\n           future administrative fee payments to PHA leasing levels.\n\n           In addition, five recent OIG audits 2 have indicated that the accumulation of the\n           net restricted assets has increased the risk of fraud, waste, and abuse of voucher\n           program funds. The audits performed by our field offices at four PHAs revealed\n           irregularities including the misuse of program funds, deficient accounting records\n           and lack of control to ensure adequate utilization. Specifically, the audits\n           indicated that housing choice voucher program funds were being used by PHAs to\n           cover operating costs of other programs and that the funds were being spent on\n           ineligible activities. The audits also found that a PHA did not properly update its\n           financial systems for housing assistance and administrative fee payments made\n           for the voucher program. In addition, we found that its accounting records did not\n           support the balance of the net restricted assets. These issues combined with a lack\n           of adequate funding utilization have resulted in a rapid accumulation of unused\n           funds.\n\n           The issues noted in these audits occurred in part because the Department does not\n           include the net restricted assets account balance as part of its on-site monitoring\n           review of PHAs. The Real Estate Assessment Center (REAC) performs a desk\n           review of the Financial Accounting Sub-System (FASS) submissions from the\n           PHAs. The submissions include two memo accounts regarding the net restricted\n           assets balances (Net Cumulative Administrative Fees Equity and Net Cumulative\n           Administrative Fees Equity). Although REAC reviews the submissions and\n           informs the Financial Management Center and Field Offices of any irregularities,\n           their review is primarily limited to the financial statements, data schedules that\n           support the financial statements, and other data reported by the housing agencies\n           that have been entered into the Department\xe2\x80\x99s systems. REAC relies on the work\n           of the Independent Auditors for review of the PHAs financial records that support\n           the FASS submissions. In addition, the Quality Assurance Division (QAD)\n\n            2\n                Dallas Housing Authority Audit Report Audit Report #2008-FW-1006, City of Los Angeles Housing Authority Audit\n                Report Audit Report #2008-LA-1015, Housing Authority of the County of San Mateo, Belmont, CA Audit Report #\n                2007-LA-1014, Dallas Housing Authority Audit Repot # 2008-FW-1011 and Richard Housing Authority, Richard, WA\n                Audit Report Audit Report #2008-SE-1006.\n\n\n\n\n                                                         11\n\x0c              conducts on-site reviews of selected PHAs to validate the leasing and cost data\n              reported by the agencies in the Voucher Management System (VMS), but does\n              not review data to support net restricted assets account balances.\n\n              The leasing restrictions imposed by Congress do not allow the program to operate\n              at its fullest potential and the $723 million offset was not sufficient to recapture\n              the excess funding held by the PHAs. We recommend that HUD significantly\n              reduce the net restricted assets balance by seeking the legislative authority to\n              implement additional offsets of the $1.4 billion of the unusable funding\n              accumulated and to again request that the programs\xe2\x80\x99 leasing restrictions be\n              eliminated or modified in order for more families to receive assistance. We also\n              recommend the Department increase both its on-site monitoring efforts of this\n              account balance, as well as continue to improve its efforts to increase fund\n              utilization by linking administrative fee payments to PHA leasing levels.\n\n\nSignificant Deficiency: HUD Needs to Improve Processes for Reviewing\nObligation Balances\nHUD needs to improve controls over the monitoring of obligation balances to ensure they remain\nneeded and legally valid as of the end of the fiscal year. HUD\xe2\x80\x99s procedures for identifying and\ndeobligating funds that are no longer needed to meet its obligations were not always effective.\nThis has been a long-standing weakness. Our review of the 2008 year-end obligation balances\nshowed $122.9 million in excess funds that could be recaptured. We have been reporting\ndeficiencies in this area for several years and while HUD has been working to implement\nimproved procedures and information systems, progress has been slow. Major deficiencies\ninclude: timely reviews of unexpended obligations for Administrative, Program Rental\nAssistance Payment, Rent Supplement, and Interest Reduction Program are not being performed.\n\nAnnually, HUD performs a review of unliquidated obligations to determine whether the\nobligations should be continued, reduced, or canceled. We evaluated HUD\xe2\x80\x99s internal controls\nfor monitoring obligated balances.\n\n\n  Project-based Section 8\n  Contracts\n\n\n       HUD\xe2\x80\x99s systems and controls for accounting, processing payments, monitoring, and\n       budgeting for Section 8 project-based contracts need to be improved. HUD has been\n       hampered in their ability to estimate funding requirements, process timely payments to\n       project-based landlords, and to recapture excess funds in a timely manner. This is\n       evidenced in HUD\xe2\x80\x99s long-term challenges in paying Section 8 project-based landlords on\n       a timely basis and properly monitoring and accurately accounting and budgeting for\n       contract renewals.\n\n\n\n\n                                               12\n\x0c   HUD currently administers 17,986 housing assistance payment (HAP) contracts to\n   provide about 1.25 million low-income housing units. A total of 13,605 contracts,\n   covering 966,020 housing units, are subject to annual renewals.\n\n   Section 8 budget authority is generally available until expended. As a result, HUD\n   should periodically assess budget needs and identify excess program reserves in the\n   Section 8 programs as an offset to future budget requirements. Excess program reserves\n   represent budget authority originally received, which will not be needed to fund the\n   related contracts to their expiration. While HUD had taken actions to identify and\n   recapture excess budget authority in the Section 8 project-based program, weaknesses in\n   the review process and inadequate financial systems continue to hamper HUD\xe2\x80\x99s efforts.\n   There is a lack of automated interfaces between the Office of Housing subsidiary records\n   with the Department\xe2\x80\x99s general ledger for the control of program funds. This necessitates\n   that HUD and its contractors make extensive use of ad hoc analyses and special projects\n   to review Section 8 contracts for excess funds, which has hampered HUD\xe2\x80\x99s ability to\n   identify excess funds remaining on Section 8 contracts in a timely manner.\n\n   This fiscal year, the Office of Housing recaptured approximately $428.3 million in\n   unliquidated obligation balances from 9,207 contracts in the Section 8 project-based\n   program. Our review of the Section 8 project-based contracts showed an additional $44.8\n   million of available contract/budget authority on 102 contracts that had expiration dates\n   prior to January 1, 2008. Funds associated with these contracts should be recaptured.\n\n   During our review, we also found 32 contracts listed in the PAS that were not included in\n   REMS data provided to us by Multifamily Housing. REMS is the official source of data\n   on Multifamily Housing\xe2\x80\x99s portfolio of insured and assisted properties. Upon further\n   analysis of the 32 contracts, we determined that the funds available on 28 of the contracts\n   had been recaptured during fiscal year 2008. We verified the status of the remaining four\n   contracts with the Accounting Center in Fort Worth, TX. We found that no records\n   existed for one contract, two contracts had been paid off, and one was expired. The\n   available balance remaining on the four contracts, which totals approximately $29.6\n   million, should be recaptured.\n\n\n\nA Long-term Financial Management\nSystem Solution is Needed\n\n\n   While our review indicated improvements in PAS data quality, HUD still needs to\n   develop a long-term financial management system solution to streamline and automate\n   the overall Section 8 project-based budgeting, payment, and contract management\n   process. HUD\xe2\x80\x99s process for renewing subsidy contracts is largely an ad hoc process.\n   HUD lacks the internal processes to timely estimate the contract funding level on an\n   ongoing basis. There is a lack of automated interfaces between the Office of Housing\n   subsidiary records with the Department\xe2\x80\x99s general ledger for the control of program funds.\n   This necessitates that HUD and its contractors make extensive use of ad hoc analyses and\n   special projects to review Section 8 contracts. Our review of the Section 8 project-based\n\n\n                                           13\n\x0c account balances showed deficiencies that raised concerns about use of PAS data for\n computing funding requirements for Section 8 project-based assistance contracts.\n Specifically, we noted that:\n\n        Funds totaling $1.1 million were recaptured from 32 projects that were reported in\n        PAS as having no available balance.\n\n        PAS data contained 24 funding lines with contract expiration dates prior to 1974,\n        which is the year that Congress authorized the Section 8 program. Of the 24, 12\n        funding lines were reported in PAS as having $10.4 million funds available.\n\n\n\nAdministrative/Other Program\nObligations\n\n\n        Requests for obligation reviews were forwarded by the Chief Financial Officer to\n        the administrative and program offices. The focus of the review was on\n        administrative obligations that exceeded a balance of $17,000 and program\n        obligations that exceeded $217,000. Excluding the Section 8 and Section 235/236\n        programs, which undergo separate review processes; HUD identified 1,923\n        obligations with remaining balances totaling $21.5 million for deobligation. We\n        tested the 1,923 obligations the Department identified to determine whether the\n        associated $21.5 million had in fact been deobligated in HUD\xe2\x80\x99s Central\n        Accounting and Program Accounting Systems. We found that, as of September\n        30, 2008, a total of 427 obligations with remaining balances totaling $4.2 million\n        had not been deobligated. The Department has initiated the process of closing\n        these contracts and the associated funding should be recaptured in fiscal year\n        2009. We noted during fiscal year 2008, the Department continued its efforts to\n        improve the timing and monitoring of its deobligation process.\n\n\n\n   Rent Supplement and Rental\n   Assistance Payments\n\n\n        HUD is not recapturing excess undisbursed contract authority from the Rent\n        Supplement and Rental Assistance Payments programs in a timely manner.\n        Although, HUD continues to make progress in this area, improvement is still\n        needed to ensure the timely recapture of excess funds.\n\n        The Rent Supplement and Rental Assistance Payments programs have been in\n        existence since the mid 1960\xe2\x80\x99s and 1970\xe2\x80\x99s respectively. The Rent Supplement\n        program and Rental Assistance Payments operate much like the current project-\n        based Section 8 rental assistance program. Rental assistance is paid directly to\n        multi-family housing owners on behalf of eligible tenants\n\n\n                                        14\n\x0c         HUD\xe2\x80\x99s subsidiary ledgers show, on a fiscal year basis, the amount authorized for\n         disbursement and the amount that was disbursed under each project account.\n         Funds remain in these accounts until they are paid out or deobligated by HUD. If\n         the funds are not paid out or deobligated, the funds remain on the books,\n         overstating the needed contract authority, the excess of which should be\n         recaptured. Our prior audit reports showed these funds were not being recaptured\n         timely.\n\n         We have been reporting deficiencies in this area for several years. In response to\n         our concern, in fiscal year 2006, HUD developed and implemented procedures to\n         review quarterly and annually the programs and associated contract authority\n         requirements. Although, progress has been made in this area, improvement is still\n         needed to ensure the timely recapture of excess funds.\n\n         We performed a review in fiscal year 2008 of unliquidated obligations for the\n         multifamily projects accounts under the Rent Supplement and Rental Assistance\n         programs. Our review found $20.7 million in undisbursed contract authority from\n         prior fiscal years on 372 multifamily projects that should be recaptured. HUD\n         agreed and processed adjustments to deobligate the $20.7 million of excess\n         undisbursed obligations.\n\nSection 236 Interest Reduction Program\n\n\n\n         The Section 236 Interest Reduction Program was created in 1968, however, new\n         program activity ceased in the mid-1970s. The multi-family activities carried out\n         by this program include making interest reduction payments directly to mortgage\n         companies on behalf of multi-family project owners. The contracts entered into\n         were typically up to 40 years and HUD was required to fund these contracts for\n         their duration. At the time it entered into the contracts, HUD was to record\n         obligations for the entire amount. The obligations were established based upon\n         permanent indefinite appropriation authority. This budget authority is included in\n         the Statement of Budgetary Resources and other consolidated financial statements\n         as \xe2\x80\x9cOther programs\xe2\x80\x9d.\n\n         Although not a major program, deficiencies in the Section 236 Interest Reduction\n         Program have been reported by OIG in prior reports on the financial statements.\n         The Offices of Housing and the Chief Financial Officer have been hampered by\n         historically poor record keeping in their attempt to accurately account for\n         unexpended Section 236 budget authority balances and estimated future\n         payments. These estimated payments are the basis for HUD\xe2\x80\x99s current recorded\n         obligation balances necessary to fully fund the contracts to their expiration. HUD\n         adjusts the recorded obligations as it proceeds through the term of the contracts in\n         order to reflect best estimates of the financial commitment. Factors that can\n         change the budgetary requirements over time include contract terminations,\n         refinancing, and restructuring of the contracts.\n\n\n                                          15\n\x0c       In recent years, OIG noted that HUD made a series of corrective actions to\n       address these deficiencies. In response to fiscal year 2004\xe2\x80\x99s OIG report and\n       OMB concerns, the Department initiated a contract-by-contract review in August\n       2005 to identify underreported, as well as over reported balances, and support the\n       Section 236 contract and budget authority. In 2006, HUD developed and\n       implemented procedures for the quarterly reconciling of its obligation accounts.\n       In FY 2007, HUD completed a reconciliation review with service. However, this\n       year\xe2\x80\x99s review disclosed that further improvements in HUD\xe2\x80\x99s processes are needed\n       to ensure Section 236 IRP obligations are valid and can be more accurately\n       estimated and reported.\n\n       In fiscal year 2008, we identified 60 inactive Section 236 Interest Reduction\n       Program contracts with over $13.9 million in excess contract and budget authority\n       that could be deobligated. These 60 contracts had been prepaid and terminated\n       from the program. HUD agreed and processed adjustments to deobligate $13.9\n       million. In addition, we identified 9 contracts with inaccurate payment schedules\n       and overestimated funding requirements of over $9.7 million. HUD agreed and\n       processed adjustments to deobligate the $ 9.7 million.\n\n       The deficiencies in the Section 236 program occurred because the quarterly\n       review procedures currently implemented were insufficient in providing updates\n       on the project status in a timely manner. HUD needs to improve its quarterly\n       contract reconciliation procedures to ensure that contract and budget authority for\n       the Section 236 Interest Reduction Program are valid and estimates are accurately\n       and timely reported.\n\nFor the Department\xe2\x80\x99s administrative and other program funds, HUD needs to promptly\nperform contract closeout reviews and recapture the associated excess contract authority\nand imputed budget authority. In addition, HUD needs to address data and systems\nweaknesses to ensure that all contracts are considered in the recapture/shortfall budget\nprocess including Rent Supplement and Rental Assistance Programs.\n\nWith respect to project-based Section 8 contracts, we recommended in our audit of the\nDepartment\xe2\x80\x99s fiscal year 1999 financial statements that systems be enhanced to facilitate\ntimely closeout and recapture of funds. In addition, we recommended that the closeout\nand recapture process occur periodically during the fiscal year, and not just at year-end.\nImplementation of the recommendations is critical so that excess budget authority can be\nrecaptured in a timely manner and considered in formulating requests for new budget\nauthority.\n\n\n\n\n                                        16\n\x0cSignificant Deficiency: HUD Financial Management Systems Need to Comply\nwith Federal Financial Management System Requirements\n\nAs reported in prior years, HUD is not in full compliance with federal financial management\nrequirements. Specifically, it has not completed development of an adequate integrated financial\nmanagement system. HUD is required to implement a unified set of financial systems. This\nincludes the financial portions of mixed systems encompassing the software, hardware,\npersonnel, processes (manual and automated), procedures, controls, and data necessary to carry\nout financial management functions, manage financial operations of the agency, and report on\nthe agency\xe2\x80\x99s financial status to central agencies, Congress, and the public. As currently\nconfigured, HUD financial management systems do not meet the test of being unified. The term\n\xe2\x80\x9cunified\xe2\x80\x9d is defined as meaning that systems are planned for and managed together, operated in\nan integrated fashion, and linked electronically to efficiently and effectively provide agency wide\nfinancial system support necessary to carry out the agency\xe2\x80\x99s mission and support the agency\xe2\x80\x99s\nfinancial management needs.\n\nHUD\xe2\x80\x99s financial systems, many of which were developed and implemented before the issue date\nof current standards, were not designed to perform or provide the range of financial and\nperformance data currently required. The result is that HUD, on a department wide basis, does\nnot have unified and integrated financial management systems that are compliant with current\nfederal requirements or provide HUD the information needed to effectively manage its\noperations on a daily basis. This could negatively impact management\xe2\x80\x99s ability to perform\nrequired financial management functions; efficiently manage the financial operations of the\nagency; and report, on a timely basis, the agency\xe2\x80\x99s financial results, performance measures, and\ncost information.\n\n FFMIA Requires HUD to\n Implement a Compliant Financial\n Management System\n\n\n               The Federal Financial Management Improvement Act of 1996 (FFMIA) requires,\n               among other things, that HUD implement and maintain financial management\n               systems that substantially comply with federal financial management system\n               requirements. The financial management system requirements also include\n               implementing information system security controls. These requirements are\n               detailed in the Federal Financial Management System Requirements series issued\n               by the Joint Financial Management Improvement Program/Financial System\n               Integration Office (JFMIP/FISO). The requirements are also included in Office of\n               Management and Budget (OMB) Circular A-127, \xe2\x80\x9cFinancial Management\n               Systems.\xe2\x80\x9d Circular A-127 defines a single integrated financial management\n               system as a unified set of financial systems and the financial portions of mixed\n\n\n                                                17\n\x0c           systems (e.g., acquisition) encompassing the software, hardware, personnel,\n           processes (manual and automated), procedures, controls, and data necessary to\n           carry out financial management functions, manage the financial operations of the\n           agency, and report on the agency\xe2\x80\x99s financial status.\n\n           As in previous audits of HUD\xe2\x80\x99s financial statements, in fiscal year 2008 there\n           continued to be instances of noncompliance with federal financial management\n           system requirements. These instances of noncompliance have given rise to\n           significant management challenges that have: (1) impaired management\xe2\x80\x99s ability\n           to prepare financial statements and other financial information without extensive\n           compensating procedures, (2) resulted in the lack of reliable, comprehensive\n           managerial cost information on its activities and outputs, and (3) limited the\n           availability of information to assist management in effectively managing\n           operations on an ongoing basis.\n\n\nHUD\xe2\x80\x99s Financial Systems Are\nNot Adequate\n\n\n           As reported in prior years, HUD does not have financial management systems that\n           enable it to generate and report the information needed to both prepare financial\n           statements and manage operations on an ongoing basis accurately and timely. To\n           prepare consolidated department wide financial statements, HUD required Federal\n           Housing Administration (FHA), the Government National Mortgage Association\n           (Ginnie Mae), and the Office of Federal Housing Enterprise Oversight (OFHEO)\n           to submit financial statement information on spreadsheet templates, which were\n           loaded into a software application. In addition, all consolidating notes and\n           supporting schedules had to be manually posted, verified, reconciled, and traced.\n           To overcome these systemic deficiencies with respect to preparation of its annual\n           financial statements, HUD was compelled to rely on extensive compensating\n           procedures that were costly, labor intensive, and not always efficient.\n\n           Due to a lengthy HUD Integrated Financial Management Improvement Project\n           (HIFMIP) procurement process and lack of funding for other financial application\n           initiatives, there were no significant changes made in fiscal year 2008 to HUD\xe2\x80\x99s\n           financial management processes. As a result, the underlying system limitations\n           identified in past years remain. The functional limitations of the three\n           applications (HUDCAPS, LOCCS and PAS) performing the core financial system\n           function for HUD are dependent on its data mart and reporting tool to complete\n           the accumulation and summarization of data needed for U.S. Department of the\n           Treasury and OMB reporting.\n\n\n\n\n                                           18\n\x0cHUD\xe2\x80\x99s Financial Systems do not\nProvide Managerial Cost Data\n\n\n         In fiscal year 2006 the Government Accountability Office (GAO) reported in\n         GAO-06-1002R Managerial Cost Accounting Practices that HUD\xe2\x80\x99s financial\n         systems do not have the functionality to provide managerial cost accounting\n         across its programs and activities. This lack of functionality has resulted in the\n         lack of reliable and comprehensive managerial cost information on its activities\n         and outputs. HUD lacks an effective cost accounting system that is capable of\n         tracking and reporting costs of HUD\xe2\x80\x99s programs in a timely manner to assist in\n         managing its daily operations. This condition renders HUD unable to produce\n         reliable cost-based performance information.\n\n         HUD officials have indicated that various cost allocation studies and resource\n         management analyses are required to determine the cost of various activities\n         needed for mandatory financial reporting. However, this information is widely\n         distributed among a variety of information systems, which are not linked and\n         therefore cannot share data. This makes the accumulation of cost information\n         time consuming, labor intensive, untimely, and ultimately makes that cost\n         information not readily available. Budget, cost management, and performance\n         measurement data are not integrated because HUD:\n\n             Did not interface its budget formulation system with its core financial system;\n\n             Lacks the data and system feeds to automate a process to accumulate, allocate,\n             and report costs of activities on a regular basis for financial reporting needs, as\n             well as internal use in managing programs and activities;\n\n             Does not have the capability to derive current full cost for use in the daily\n             management of Department operations; and\n\n             Requires an ongoing extensive quality initiative to ensure the accuracy of the\n             cost aspects of its performance measures as they are derived from sources\n             outside the core financial system.\n\n         While HUD has modified its resource management application to enhance its cost\n         and performance reporting for program offices and activities, the application does\n         not use core financial system processed data as a source. Instead, HUD uses a\n         variety of applications, studies, and models to estimate the cost of its program\n         management activities. One of these applications, TEAM/REAP, was designed\n         for use in budget formulation and execution, strategic planning, organizational\n         and management analyses, and ongoing management of staff resources. It was\n         enhanced to include an allocation module that added the capability to tie staff\n\n\n\n                                           19\n\x0c              distribution to strategic objectives, the President\xe2\x80\x99s Management Agenda, and\n              HUD program offices\xe2\x80\x99 management plans. HUD also concluded a pilot program\n              of this functionality in fiscal year 2007.\n\n              Additionally, HUD has developed time codes and an associated activity for nearly\n              all HUD program offices to allow automated cost allocation to the program office\n              activity level. HUD has indicated that the labor costs that will be allocated to\n              these activities will be obtained from the HUD payroll service provider.\n              However, because the cost information does not pass through the general ledger,\n              current federal financial management requirements are not met.\n\n\nFinancial Systems do not Provide for\nEffective and Efficient Financial\nManagement\n\n\n              During fiscal year 2008, HUD\xe2\x80\x99s financial information systems did not allow it to\n              achieve its financial management goals in an effective and efficient manner in\n              accordance with current federal requirements. To perform core financial system\n              functions, HUD depends on three major applications, in addition to a data\n              warehouse and a report-writing tool. Two of the three applications that perform\n              core financial system functions require significant management oversight and\n              manual reconciliations to ensure accurate and complete information. HUD\xe2\x80\x99s use\n              of multiple applications to perform core financial system functions further\n              complicates financial management and increases the cost and time expended.\n              Extensive effort is required to manage and coordinate the processing of\n              transactions to ensure the completeness and reliability of information.\n\n\n              Additionally, the interface between the core financial system and HUD\xe2\x80\x99s\n              procurement system does not provide the required financial information. The\n              procurement system interface with HUDCAPS does not contain data elements to\n              support the payment and closeout processes. Also, the procurement system does\n              not interface with LOCCS and PAS. Therefore, the processes of fund\n              certification, obligation, de-obligation, payment, and close out of transactions that\n              are paid out of the LOCCS system are all completed separately, within either PAS\n              or LOCCS. This lack of compliance with federal requirements impairs HUD\xe2\x80\x99s\n              ability to effectively monitor and manage its procurement actions.\n\n\n     HUD Plans to implement a\n     Department Wide Core Financial\n     System\n\n\n              HUD plans to implement a commercial federal certified core financial system and\n              integrate the current core financial system into one Department-wide core\n\n\n                                               20\n\x0c               financial system. HUD is initiating business process reengineering work to\n               ensure a smooth transition to a single integrated core financial system. FHA and\n               Ginnie Mae have already implemented a compatible and compliant system to\n               support the transition to the enterprise core financial system. HUD plans to select\n               a qualified shared service provider to host the enterprise system and integrate the\n               three financial systems (HUD, FHA, and Ginnie Mae) into a single system by\n               fiscal year 2013. Achieving integrated financial management for HUD will result\n               in a reduction in the total number of systems maintained, provide online, real-time\n               information for management decision-making, enable HUD to participate in E-\n               government initiatives, and align with HUD's information technology\n               modernization goals.\n\n               However, HUD\xe2\x80\x99s Integrated Financial Management Improvement Project\n               (HIFMIP), launched in fiscal year 2003, has been plagued by delays, and\n               implementation of the core financial system has not yet begun. Additionally, the\n               previous HIFMIP project manager vacated the position in February 2008, and a\n               permanent replacement has not yet been named. HIFMIP was intended to\n               modernize HUD\xe2\x80\x99s financial management systems in accordance with a vision\n               consistent with administration priorities, legislation, Office of Management and\n               Budget directives, modern business practices, customer service, and technology.\n               HIFMIP will encompass all of HUD\xe2\x80\x99s financial systems, including those\n               supporting FHA and Ginnie Mae. HUD had intended to begin the\n               implementation in fiscal year 2006. Due to delays with the procurement process,\n               however, HUD anticipates that it will not be able to begin the implementation of\n               its core financial system until fiscal year 2009. The success of the HIFMIP\n               project continues to be at risk due to dated requirement documents, as well as the\n               lack of a permanent, full-time project manager. We continue to note the\n               following weaknesses with HUD\xe2\x80\x99s financial management systems:\n\n                  HUD\xe2\x80\x99s ability to prepare financial statements and other financial information\n                  requires extensive compensating procedures.\n\n                  HUD has limited availability of information to assist management in\n                  effectively managing operations on an ongoing basis.\n\n\n\n\nSignificant Deficiency: Controls over HUD\xe2\x80\x99s Computing Environment Can Be\nFurther Strengthened\nHUD\xe2\x80\x99s computing environment, data centers, networks, and servers provide critical support to\nall facets of the Department\xe2\x80\x99s programs, mortgage insurance, financial management, and\nadministrative operations. In prior years, we reported on various weaknesses with general\nsystem controls and controls over certain applications, as well as weak security management.\nThese deficiencies increase risks associated with safeguarding funds, property, and assets from\nwaste, loss, unauthorized use, or misappropriation.\n\n\n\n                                               21\n\x0cWe evaluated selected information systems general controls of the Department\xe2\x80\x99s computer\nsystems on which HUD\xe2\x80\x99s financial systems reside. Our review found information systems\ncontrol weaknesses that could negatively affect HUD\xe2\x80\x99s ability to accomplish its assigned\nmission, protect its data and information technology assets, fulfill its legal responsibilities and\nmaintain its day-to-day functions. Presented below is a summary of the control weaknesses\nfound during the review.\n\n\n                                        Entity-wide Security Program\n\n         HUD has made strides toward implementing a compliant entity wide security program as\n         required by the Federal Information Security Management Act of 2002 (FISMA). HUD\n         developed guidance, conducted meetings, and provided training to program officials to\n         ensure security policies are properly implemented at the program and system level.\n         However, additional progress is needed. Specifically, in fiscal year 2008 we found that:\n\n             HUD\xe2\x80\x99s program offices and system owners did not always ensure that HUD\xe2\x80\x99s\n             inventory of automated systems was up-to-date and systems were properly\n             categorized as required by OMB.\n\n             System owners did not ensure that all non-major applications that are hosted outside\n             of HUD\xe2\x80\x99s infrastructure were secure.\n\n             HUD did not fully comply with OMB\xe2\x80\x99s privacy requirements, including the\n             completion of privacy survey reports and privacy impact assessments for all new\n             systems that contain personally identifiable information3 before placing them into\n             development or production.\n\n             HUD did not fully implement all technical controls specified by OMB memorandum\n             M-06-164, which addresses information that is removed from or accessed from\n             outside the agency.\n\n\n\n\n                                Security Controls Over HUD\xe2\x80\x99s Databases\n\n\n\n3\n  The term Personally Identifiable Information means any information about an individual maintained by an agency,\nincluding, but not limited to, education, financial transactions, medical history, and criminal or employment history\nand information which can be used to distinguish or trace an individual's identity, such as their name, social security\nnumber, date and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc., including any other personal\ninformation which is linked or linkable to an individual. Source: OMB Memorandum M-06-19, \xe2\x80\x9cReporting\nIncidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency\nInformation Technology Investments,\xe2\x80\x9d dated July 12, 2006\n4\n  \xe2\x80\x9cProtection of Sensitive Agency Information\xe2\x80\x9d issued June 23, 2006\n\n\n                                                          22\n\x0c           A number of weaknesses were identified by the OIG during a review of security controls\n           over HUD\xe2\x80\x99s databases. We identified security configuration and technical control\n           deficiencies within HUD\xe2\x80\x99s database security controls in the areas of (1) passwords, (2)\n           system patches, and (3) system configuration.\n\n           If proper access controls are not in place, there is no assurance that the data residing on\n           HUD financial and financial management systems are adequately protected against\n           unauthorized disclosure, modification, or destruction. Allowing conditions that\n           undermine the integrity of security contributes to inefficient security operations and\n           administration or may lead to interruption of production operations. Additionally,\n           improper configurations do not allow the Office of the Chief Information Officer (OCIO)\n           and program offices to ensure that the database environment is managed in a way that is\n           secure, efficient, and effective.\n\n\n\n                                         HUD Procurement System\n\n           We audited HUD's Procurement systems in fiscal year 20065. Through actions taken\n           during fiscal years 2007 and 2008, the Office of the Chief Procurement Officer has made\n           progress toward resolving the issues identified during the audit. However, two\n           significant recommendations made in the report remain open and the procurement\n           systems continue to be in noncompliance with Federal financial management\n           requirements. The Office of the Chief Procurement Officer (OCPO) has yet to complete\n           the corrective actions for the known open information security vulnerabilities or to\n           develop mitigation strategies if new system development is underway. The OCPO plans\n           to replace the current acquisition systems, but it has not yet been able to secure funding to\n           complete the planned corrective action. Consequently, OCPO has not yet implemented\n           functionality to ensure that there is sufficient information within HUD\xe2\x80\x99s procurement\n           systems to support the primary acquisition functions of fund certification, obligation, de-\n           obligation, payment, and closeout.\n\n\n\n\n                        Controls Over FHA Information Technology Resources\n\n           On October 31, 2007, we issued an audit report on our assessment of FHA\xe2\x80\x99s management of\n           its information technology resources6. Some recommendations addressed to the OCIO\n           remain open and are expected to be implemented and closed by December 2008 as follows:\n           (1) provide additional guidance and training to application system owners regarding\n           completion of their application\xe2\x80\x99s business impact analysis; (2) complete the design and\n           implementation of an information security program to include descriptions of system\n           owner roles and responsibilities, information on the security controls with FHA for each\n\n5\n    Audit Report No. 2007-DP-0003: Review of HUD\xe2\x80\x99s Procurement Systems issued January 25, 2007\n6\n    Audit report No. 2008-DP-0002: Review of FHA Controls Over Its Information Technology Resources\n\n\n                                                       23\n\x0cgeneral support system on which its applications reside, and information on the use of the\nInformation System Security Forum as a user representative forum for each general\nsupport system; and (3) develop and provide role-based training to FHA staff with\ninformation security roles and responsibilities\n\n\n\n                          HUD\xe2\x80\x99s Financial Systems\n\nAs part of our review of HUD's information systems controls, we evaluated information\nsecurity controls over the Northridge Loan System (NLS), Departmental Accounts\nReceivable Tracking/Collection System (DARTS), HUDCAPS, LOCCS and the\nFinancial Data Mart. We identified control weaknesses that could negatively affect the\nintegrity, confidentiality, and availability of computerized financial data within three of\nHUD\xe2\x80\x99s financial systems--HUDCAPS, LOCCS, and the Financial Data Mart.\n\n\n\n\n                                         HUDCAPS\n\nIn our fiscal year 2007 audit, we found that the Office of the Chief Financial Officer\n(OCFO) granted two contracted developers above read access to the HUDCAPS\nproduction data stored within the mainframe environment without documenting either\ntheir acceptance of the risks associated with or the justification for this access level. The\ndocumentation to support this access was not maintained by the system owner, and\nacceptance of the risks associated with this access level was not documented in the\nsystem security plan. Additionally, neither of the two developers received the required\nlevel of background investigation. One developer received only a minimum background\ninvestigation. The other developer was not investigated at all.\n\nDuring fiscal year 2008, the OCFO, in coordination with the OCIO, has made progress in\naddressing this issue. The OCFO has improved their documentation and maintenance of\nfiles containing authorizations and justifications for contracted system developers to have\nread or above-read access to production data. They have assessed the risk of providing\nabove read and read only access to contractors and have specifically acknowledged and\naccepted that risk within their system security documentation. However, although the\nOCFO has obtained a listing of all users with access to the HUDCAPS production\nenvironment, they have not yet completed an assessment to determine specifically what\nHUDCAPS access is granted to each contractor, or prepared a listing of all users with\nabove read access to application data. They also have yet to initiate a request with the\nOffice of Security and Emergency Planning staff to determine whether the contractor\nemployees have had the appropriate background investigations or to follow up with\nOffice of Security and Emergency Planning staff to ensure background investigations are\ninitiated for contractor staff if required. In addition, they still need to complete actions to\n\n\n                                          24\n\x0cremove above read access privileges for all contracted system developers with\nunnecessary access within production databases for HUDCAPS and any other OCFO\nsystems.\n\n                                         LOCCS\n\nDuring our fiscal year 2007 audit, we found that the controls over the LOCCS user\nrecertification process were not effective to verify the access of all users. Systemic\ndeficiencies led to the omission of more than 10,000 users from the LOCCS\nrecertification process. An additional 199 users had last recertification dates within the\napplication prior to March 31, 2006, indicating that they also were not included in the\nfiscal year 2007 recertification process. During fiscal year 2008, the OCFO made\nimprovements to this process by generating a report from the system that allows them to\nidentify users that only have approving authority within the application for the user\nrecertification process. However, further improvements are necessary to ensure that all\nusers of LOCCS are recertified in accordance with HUD policy. Our review of the 2008\ndata again identified LOCCS users that were not recertified by the system. This shows\nthat the corrective action taken in response to our 2007 finding did not fully address the\nproblem.\n\n                              Financial Data Mart\n\nIn fiscal year 2007, the OCFO identified and reported that an unauthorized individual had\naccess to sensitive data within the Financial Data Mart that was not needed to perform\nassigned duties. In June 2007, we determined that an unauthorized individual was\naccessing production data from the Financial Data Mart using an application\xe2\x80\x99s login ID\nand password. In addition, the password assigned to the application login ID did not\nconform to HUD\xe2\x80\x99s password policy. Further, we determined that all users with access to\nthe HUD Web can access and generate reports containing proprietary financial data\nmaintained within the Financial Data Mart.\n\nDuring fiscal year 2008, the OCFO assessed and accepted the risk associated with\nproviding web users access to some of the data within the Financial Data Mart. In\naddition, the OCFO, in coordination with the OCIO, initiated plans to obtain and review\naccess logs to the Financial Data Mart server, and to modify application passwords to be\nin compliance with HUD's password policy. The corrective actions are expected to be\ncompleted during fiscal year 2009.\n\n\n\n                       IBM Mainframe z/OS Operating System\n\nIn fiscal year 2007, we followed up on previously reported weaknesses related to the\nIBM mainframe z/OS operating system. For instance, we found that HUD had not: (1)\nremoved the unused data files in the IBM mainframe environment in a timely manner;\nand (2) removed the references to a retired application. We also reported that more work\nwas needed to ensure that the most powerful administrative authority is restricted to only\n\n\n\n                                        25\n\x0c        those persons who require it to perform their duties, and that the administrator account is\n        properly managed.\n\n        During our fiscal year 2008 review, we determined that HUD has taken steps to ensure\n        that the super-user authority is properly restricted, and the administrator account is\n        properly managed. HUD also removed unused data files from the IBM environment, as\n        well as references to a retired application. Additionally, HUD has established a standard\n        procedure to monitor and oversee the removal of personal data files belonging to users\n        who have left the Department.\n\n\n\n                                Software Configuration Management\n\n        We previously reported that weaknesses remain in the areas of support for the\n        Department-wide configuration management7 function and the HUD Procurement\n        System configuration management plan. We also reported that configuration\n        management plans for several FHA applications lacked information or contained\n        outdated information. There were also weaknesses specific to each configuration\n        management plan we reviewed.\n\n        HUD has made progress in implementing controls to resolve the reported weaknesses.\n        However, HUD has not yet fully resolved the issue of obsolete and incomplete\n        information in the configuration management plans for the HUD Procurement System\n        and selected FHA applications.\n\n        For fiscal year 2008, we reviewed the configuration management plan for the Institution\n        Master File (IMF) and found that this plan also lacked information or contained outdated\n        information. Details of this finding will be included in our report for our fiscal year 2008\n        review of information systems controls in support of the financial statements audit to be\n        issued during 2009.\n\n\n\n                              Contingency Planning and Preparedness\n\n        Although, HUD continues to make progress in the implementation of controls for\n        contingency planning and preparedness, improvement is still needed. In fiscal year 2007,\n        our review of the disaster recovery plan for the contractor-operated data center facility\n        indicated that the listing of mission critical applications had not yet been updated. We\n        were advised that a contract modification was required to update the listing, and HUD\n        planned to accomplish this by December 31, 2007. During our fiscal year 2008 audit, we\n        determined that the listing of mission critical applications still has not been updated. We\n        also found that the appendix containing information on the disaster recovery team\n        personnel was not current.\n\n7\n Configuration management is the control and documentation of changes made to a system\xe2\x80\x99s hardware, software\nand documentation throughout the development and operational life of the system.\n\n\n                                                     26\n\x0c        In addition, we determined that contingency planning at third party business sites is\n        inadequate. We surveyed 29 third party business partners to determine if they had\n        business continuity plans, continuity of operations plans or disaster recovery plans in\n        place that would provide the means to continue business, relocate to alternative work\n        areas and access HUD systems. We found that sixty-nine percent did not have any type\n        of contingency, continuity or disaster recovery plan. While thirty-one percent of the third\n        party business partners did have some type of plan, those plans contained only limited\n        provisions on backup of critical information and alternative work areas. Staffs were\n        unfamiliar or had limited knowledge of contingency planning requirements, and\n        documentation was not readily available for use in case of emergency.\n\n        HUD had not specified contingency planning, continuity of operations or disaster\n        recovery requirements in its agreements with third party business partners. Such\n        information is usually included in the terms and conditions of a contract or service-level\n        agreement with the external business partner. Consequently, third party business partners\n        have developed limited contingency planning policies that do not meet HUD or National\n        Institute of Standards and Technology (NIST) requirements.\n\n\n\n\n                                               Physical Security\n\n        Our on-site reviews during fiscal years 2006 and 2007 found that physical security\n        controls for HUD facilities were generally in place at the network operations center and\n        the data center, both maintained by HUD\xe2\x80\x99s two information technology infrastructure\n        contractors.\n\n        This year, we evaluated how HUD\xe2\x80\x99s third party business partners8 compensate for the\n        lack of physical security controls when information is removed from, maintained or\n        accessed from outside the agency location. We also determined what security guidance is\n        provided by HUD. We found that physical security at the third party business sites we\n        visited is inadequate and weaknesses exist at those sites. We found instances where\n        servers were located in common areas (i.e. lunch rooms, halls), case binders with\n        personally identifiable information were left unattended, no guard or receptionist was at\n        the entrance, access doors were unlocked, and encryption of data residing on laptops or\n        portable devices was not a requirement.\n\n        We determined that HUD had not specified the level of security controls and included it\n        in the terms and conditions of the contract or service-level agreement with the external\n        business partner. As a result, third party business partners have developed various\n        information technology security controls and policies that do not meet HUD or federal\n\n\n8\n Third party business partners are external business partners who contract to do business with HUD such as\nHousing Authorities and mortgage lenders who use PIH Inventory Management System (PIH-IMS), Tenant Rental\nAssistance Certification System (TRACS) and Computerized Homes Underwriting Management System (CHUMS).\n\n\n                                                   27\n\x0c       requirements, and therefore cannot be relied upon to provide adequate protection over\n       HUD\xe2\x80\x99s sensitive data.\n\n\n\n\nSignificant Deficiency: Weak Personnel Security Practices Continue to Pose\nRisks of Unauthorized Access to the Department\xe2\x80\x99s Critical Financial Systems\nFor several years, we have reported that HUD\xe2\x80\x99s personnel security practices over access to its\nsystems and applications were inadequate. Deficiencies in HUD\xe2\x80\x99s information technology\npersonnel security program were found and recommendations were made to correct the\nproblems. However, the risk of unauthorized access to HUD\xe2\x80\x99s financial systems remains a\ncritical issue. We followed up on previously reported information technology personnel security\nweaknesses and deficiencies and found that deficiencies still exist. Specifically:\n\n              Since 2004, we have reported that HUD does not have a complete list of all users\n              with above-read access at the application level. Those users with above read\n              access to sensitive application systems are required to have a background\n              investigation. Our review this year found that HUD still does not have a central\n              repository that lists all users with access to HUD\xe2\x80\x99s general support and\n              application systems. Consequently, HUD has no central listing for reconciling\n              that all users who have access to HUD critical and sensitive systems have had the\n              appropriate background investigation.\n\n              While HUD\xe2\x80\x99s implementation in 2007 of the Centralized HUD Account\n              Management Process (CHAMP) was a step towards improving its user account\n              management practices, CHAMP remains incomplete and does not fully address\n              OIG\xe2\x80\x99s concerns. Specially, we found:\n\n              a. CHAMP does not contain complete and accurate data. The OCIO did not\n                 electronically migrate data from the HUD Online User Registration System\n                 (HOURS) into CHAMP. Instead, they chose to enter the legacy data\n                 manually. However, this process has not yet been completed. As of April\n                 22, 2008, OCIO has entered user data for 37 out of 248 applications (15%)\n                 into CHAMP.\n\n              b. HUD can neither compile a complete listing of all authorized users and their\n                 access privileges nor identify all the applications to which users have access\n                 because CHAMP does not have reporting capabilities.\n\n              c. CHAMP does not contain a mechanism to escalate or reassign tasks that have\n                 not been completed within a specified timeframe.\n\n              d. CHAMP can only handle access requests for internal users such as HUD\n                 employees and contractors, but not for external users such as Housing\n\n\n\n                                              28\n\x0c   Authorities and trusted business partners.\n\nDuring our fiscal year 2007 audit, we reported that contractors were\ninappropriately granted access to sensitive systems. Consequently, we\nrecommended that the OCIO remove greater-than-read access to sensitive systems\nfor users who have not submitted appropriate background investigation\ndocuments or who are no longer authorized to access information resources.\nCorrective action to resolve this weakness has not yet been completed.\n\nWe previously identified a retired HUD employee whose user ID remained active\non HUD systems for 13 months following her retirement. In addition, there was\nevidence to suggest that the network password assigned to that user had been\nmodified approximately six weeks after the employee\xe2\x80\x99s retirement. We found\nthat although HUD had processes and procedures for removing the computer\nsystem access of retiring employees, Human Resources, program area\napplications owners, the Office of Security and Emergency Planning, and the\nOffice of the Chief Information Officer need to coordinate to improve these\nprocesses.\n\nHUD did not conduct a security categorization and a risk assessment for CHAMP\nas required by Federal Information Processing Standards (FIPS) Publications\n(PUB) 199 and 200. HUD\xe2\x80\x99s OCIO incorrectly chose not to conduct a security\ncategorization and risk assessment for CHAMP because they believed that these\nitems are not required for CHAMP, which is listed as a process rather than a\nsystem. HUD also believes that since CHAMP is exclusively owned by its\ninformation technology contractor, it is not subject to the requirements of a\nsecurity categorization and a risk assessment. Without a security categorization\nand risk assessment on CHAMP, HUD cannot know the full extent of risks that\nthe CHAMP process is vulnerable to or whether adequate levels of security\ncontrols have been put in place to protect data and applications impacted by\nCHAMP.\n\n\n\n\n                                29\n\x0c                 Compliance with Laws and Regulations\n\nHUD Did not Substantially Comply with the Federal Financial Management\nImprovement Act\nFFMIA requires auditors to report whether the agency\xe2\x80\x99s financial management systems\nsubstantially comply with the Federal financial management systems requirements, applicable\naccounting standards, and support the U.S. Standard General Ledger (SGL) at the transaction\nlevel. We found that HUD was not in substantial compliance with FFMIA because HUD\xe2\x80\x99s\nfinancial management system did not substantially comply with Federal Financial Management\nSystem Requirements.\n\nDuring fiscal year 2008, the Department made limited progress as it attempted to address its\nfinancial management deficiencies to bring the agency\xe2\x80\x99s financial management systems into\ncompliance with Federal Financial Management Improvement Act (FFMIA). However, the\ndeficiencies remain as the Department financial management systems continue to not meet\ncurrent requirements and are not operated in an integrated fashion, and linked electronically to\nefficiently and effectively provide agency wide financial system support necessary to carry out\nthe agency\xe2\x80\x99s mission and support the agency\xe2\x80\x99s financial management needs.\n\nHUD's policy is to complete OMB A-127 reviews of all HUD financial systems within a three\nyear cycle. HUD did not complete any of the planned 2007 and 2008 independent reviews of its\ncurrent financial management systems to verify compliance with financial system requirements,\nidentify system and procedural weaknesses, and develop the corrective actions to address\nidentified weaknesses. Additionally, HUD only completed four independent reviews that were\nplanned in 2006.\n\n\n     Federal Financial Management System\n     Requirements\n\n               In its Fiscal Year 2008 Performance and Accountability Report, HUD reports that\n               2 of its 42 financial management systems do not comply with the requirements of\n               the FFMIA and OMB Circular A-127, Financial Management Systems. Even\n               though 40 individual systems have been certified as compliant with federal\n               financial management systems requirements, HUD has not adequately performed\n               independent reviews of these systems as required by OMB Circular A-127.\n               Collectively and in the aggregate, deficiencies still exist.\n\n               We continue to report as a significant deficiency that HUD Financial\n               Management Systems Need to Comply with Federal Financial Management\n               Systems Requirements. The significant deficiency addresses how HUD\xe2\x80\x99s\n               financial management systems remain substantially noncompliant with federal\n               financial management requirements.\n\n\n\n                                                30\n\x0c              FHA\xe2\x80\x99s auditor reports as a significant deficiency that FHA needs to continue to\n              enhance and modernize its financial information systems. The significant\n              deficiency addresses the challenges in FHA\xe2\x80\x99s capacity to simultaneously address\n              various system modernization initiatives and control deficiencies affecting the\n              reliability and completeness of FHA\xe2\x80\x99s financial information.\n\n              Ginnie Mae\xe2\x80\x99s auditor reports a non compliance with Federal Information Security\n              Management Act (FISMA). The Act requires Ginnie Mae to implement an\n              agency-wide information security program to provide information security for the\n              information systems that support the operations and assets of the agency including\n              those provided or managed by a contractor. The auditor\xe2\x80\x99s review found Ginnie\n              Mae lacks assurance that critical information technology general control elements\n              for the Integrated Portfolio Management System (IPMS), which is managed and\n              controlled by a Ginnie Mae contractor, are working effectively to reduce agency\n              information system risks.\n\n              We also continue to report as significant deficiencies that (1) Controls over\n              HUD\xe2\x80\x99s Computing Environment Can Be Further Strengthened and (2) Weak\n              Personnel Security Practices Continue to Pose Risks of Unauthorized Access to\n              the Department\xe2\x80\x99s Critical Financial Systems. These significant deficiencies\n              discuss how weaknesses with general controls and certain application controls,\n              and weak security management increase risks associated with safeguarding funds,\n              property, and assets from waste, loss, unauthorized use or misappropriation.\n\n              In addition, OIG audit reports have disclosed that security over financial\n              information was not provided in accordance with OMB Circular A-130\n              Management of Federal Information Resources, Appendix III and the FISMA.\n\nWe have included the specific nature of noncompliance issues, responsible program offices and\nrecommended remedial actions in Appendix C of this report.\n\n\nHUD Did Not Substantially Comply with the Anti-Deficiency Act\n       HUD\xe2\x80\x99s Office of the Chief Financial Officer (OCFO) is not conducting, completing,\n       reporting and closing the investigation of potential Anti-Deficiency Act violations in a\n       timely manner and has not created timeframes for the conduct and completion of the\n       investigations of potential Anti-Deficiency Act violations, as required by the FY 2003\n       Appropriation Act, Public Law 108-7, Title II \xe2\x80\x93 Department of Housing and Urban\n       Development. Additionally, the OCFO has not reported known violations immediately to\n       the President through OMB, Congress, nor GAO, as required by the Anti-Deficiency Act.\n\n       The OCFO is responsible for investigating and reporting on violations of the Anti-\n       Deficiency Act. As of the conclusion of this audit, the OCFO had investigated a total of\n       26 potential Anti-Deficiency Act violations. The Chief Financial Officer (CFO) made\n       determinations that three cases that occurred in 2003 are Anti-Deficiency Act violations\n\n\n                                              31\n\x0cthat warrant reporting to the President, Congress, and GAO. In regards to determinations\nfor the remaining cases, another three were considered to be Anti-Deficiency Act\nviolations but were still under review by the OCFO, 15 were determined not to be a\nviolation, and five cases were under preliminary review.\n\nOur review determined that although it has been five years since discovery of some of the\nAnti-Deficiency Act violations, the OCFO has not issued a report on any of the three\ncases determined to be reportable Anti-Deficiency Act violations. We reviewed the three\ncase files and found that the OCFO completed draft transmittal letters and reports in\n2004, but the letters and reports were not issued. CFO is not in compliance with OMB\nA-11 Section 435 and 31 U.S.C. 1351 and 1517(b). Specifically, the United States Code\nstates that once it is determined that there has been a violation; it shall be reported\nimmediately to the President, Congress, and GAO. The OCFO stated that the reports\nhave not been submitted to the appropriate parties because OMB and HUD cannot agree\non whether or not names should be included in the reports. We feel these reports should\nnot be held up for that reason, since OMB A-11 Section 145 specifically states that the\nletter will set forth the name and position of the officer(s) or employee(s) responsible for\nthe violation.\n\nAdditionally, there are another three investigations that have been determined to be Anti-\nDeficiency Act violations. The draft reports have been prepared and are under review by\nthe OCFO. Two of these three Anti-Deficiency act violation cases have been under\ninvestigation for four years and the other one has been under investigation for a year.\n\nIn our fiscal year 2008 review, we noted that HUD management did complete its review\nof all outstanding cases. However, HUD management has indicated that they took\ncorrective actions to address any necessary immediate funding actions, and to correct\nfunds control deficiencies and unacceptable long-standing past practices to minimize the\nrisk of future violations. Additionally, HUD management plans to establish and finalize\ntimeframes in an internal OCFO policy memorandum for the conduct and completion of\ninvestigations of potential ADA violations during the first quarter of FY 2009 to ensure\ninvestigations are conducted, completed, reported, and closed in a timely manner.\n\n\n\n\n                                         32\n\x0c                                      APPENDIXES\n\n\nAppendix A\n                       Objectives, Scope, and Methodology\n\nManagement is responsible for\n\n*      Preparing the principal financial statements in conformity with generally accepted\n       accounting principles;\n*      Establishing, maintaining and evaluating internal controls and systems to provide\n       reasonable assurance that the broad objectives of Federal Managers\xe2\x80\x99 Financial Integrity\n       Act are met; and\n*      Complying with applicable laws and regulations and government wide policies\n\nIn auditing HUD\xe2\x80\x99s principal financial statements, we were required by Government Auditing\nStandards to obtain reasonable assurance about whether HUD\xe2\x80\x99s principal financial statements\nare free of material misstatements and presented fairly in accordance with generally accepted\nfederal accounting principles. We believe that our audit provides a reasonable basis for our\nopinion.\n\nIn planning our audit of HUD\xe2\x80\x99s principal financial statements, we considered internal controls\nover financial reporting by obtaining an understanding of the design of HUD\xe2\x80\x99s internal controls,\ndetermined whether these internal controls had been placed in operation, assessed control risk,\nand performed tests of controls to determine our auditing procedures for the purpose of\nexpressing our opinion on the principal financial statements and not to provide assurance on the\ninternal control over financial reporting. Consequently, we do not provide an opinion on internal\ncontrols. We also tested compliance with selected provisions of applicable laws and regulations\nand government wide policies that may materially affect the consolidated principal financial\nstatements. Providing an opinion on compliance with selected provisions of laws and regulations\nwas not an objective and, accordingly, we do not express such an opinion.\n\nWe considered HUD\xe2\x80\x99s internal control over Required Supplementary Stewardship Information\nreported in HUD\xe2\x80\x99s Fiscal Year 2008 Performance and Accountability Report by obtaining an\nunderstanding of the design of HUD\xe2\x80\x99s internal controls, determined whether these internal\ncontrols had been placed in operation, assessed control risk, and performed limited testing\nprocedures as required by AU Section 558 , Required Supplementary Information. The tests\nperformed were not to provide assurance on these internal controls, and accordingly, we do not\nprovide assurance on such controls.\n\nWith respect to internal controls related to performance measures to be reported in the\nManagement\xe2\x80\x99s Discussion and Analysis and HUD\xe2\x80\x99s Fiscal Year 2008 Performance and\nAccountability Report, we obtained an understanding of the design of significant internal\ncontrols relating to the existence and completeness assertions as described in Section 230.5 of\nOMB Circular A-11 Preparation, Submission and Execution of the budget. We performed\n\n\n                                                33\n\x0climited testing procedures as required by AU Section 558 Required Supplementary Information\nand OMB Bulletin 07-04 Audit Requirements for Federal Financial Statements, as amended.\nOur procedures were not designed to provide assurance on internal control over reported\nperformance measures and, accordingly, we do not provide an opinion on such controls.\n\nTo fulfill these responsibilities, we\n\n*      Examined, on a test basis, evidence supporting the amounts and disclosures in the\n       consolidated principal financial statements;\n*      Assessed the accounting principles used and the significant estimates made by\n       management;\n*      Evaluated the overall presentation of the consolidated principal financial statements;\n*      Obtained an understanding of internal controls over financial reporting, executing\n       transactions in accordance with budget authority, compliance with laws and regulations,\n       and safeguarding assets;\n*      Tested and evaluated the design and operating effectiveness of relevant internal controls\n       over significant cycles, classes of transactions, and account balances;\n*      Tested HUD\xe2\x80\x99s compliance with certain provisions of laws and regulations, government-\n       wide policies, noncompliance with which could have a direct and material effect on the\n       determination of financial statement amounts and certain other laws and regulations\n       specified in OMB Bulletin 07-04 as amended, including the requirements referred to in\n       the Federal Managers\xe2\x80\x99 Financial Integrity Act;\n*      Considered compliance with the process required by the Federal Managers\xe2\x80\x99 Financial\n       Integrity Act for evaluating and reporting on internal control and accounting systems; and\n*      Performed other procedures we considered necessary in the circumstances.\n\nWe did not evaluate the internal controls relevant to operating objectives as broadly defined by\nthe Federal Managers\xe2\x80\x99 Financial Integrity Act. We limited our internal control testing to those\ncontrols that are material in relation to HUD\xe2\x80\x99s financial statements. Because of inherent\nlimitations in any internal control structure, misstatements may nevertheless occur and not be\ndetected. We also caution that projection of any evaluation of the structure to future periods is\nsubject to the risk that procedures may become inadequate because of changes in conditions or\nthat the effectiveness of the design and operation of policies and procedures may deteriorate.\n\nOur consideration of the internal controls over financial reporting would not necessarily disclose\nall matters in the internal controls over financial reporting that might be significant deficiencies.\nWe noted certain matters in the internal control structure and its operation that we consider\nsignificant deficiencies under OMB Bulletin 07-04, as amended. Under standards issued by the\nAmerican Institute of Certified Public Accountants, a significant deficiency is a deficiency in\ninternal control, or a combination of deficiencies, that adversely affects HUD\xe2\x80\x99s ability to initiate,\nauthorize, record, process, or report financial data reliably in accordance with generally accepted\naccounting principles such that there is more than a remote likelihood that a misstatement of the\nentity\xe2\x80\x99s financial statements that is more than inconsequential will not be prevented or detected.\n\nA material weakness is a significant deficiency, or combination of significant deficiencies, that\nresult in a more than remote likelihood that a material misstatement of the financial statements\nwill not be prevented or detected.\n\n\n\n                                                 34\n\x0cOur work was performed in accordance with generally accepted Government Auditing Standards\nand OMB Bulletin 07-04, as amended.\n\nThis report is intended solely for the use of HUD management, OMB and the Congress.\nHowever, this report is a matter of public record and its distribution is not limited.\n\n\n\n\n                                              35\n\x0cAppendix B\n                                   Recommendations\n\n\nTo facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking\nSystem, this appendix lists the newly developed recommendations resulting from our report on\nHUD\xe2\x80\x99S fiscal year 2008 financial statements. Also listed are recommendations from prior years\xe2\x80\x99\nreports that have not been fully implemented. This appendix does not include recommendations\npertaining to FHA and Ginnie Mae issues because they are tracked under separate financial\nstatement audit reports of that entity.\n\n\n                 Recommendations from the Current Report\nWith respect to the significant deficiency that HUD management must continue to improve\noversight and monitoring of subsidy calculations and intermediaries\xe2\x80\x99 program performance and\npromote full utilization of Housing choice Voucher funds, we recommend that the Office of\nPublic and Indian Housing in coordination with the Office of General Counsel:\n\n1.a.    Seek legislative authority to implement $1.4 billion in offsets against PHA\xe2\x80\x99s excess\n        unusable funding held in the Net Restricted Assets Account.\n\n1.b.   Seek legislative authority to eliminate or modify the leasing restrictions placed on the\n       Housing Choice Voucher program.\n\nWith respect to the significant deficiency that HUD management must continue to improve\noversight and monitoring of subsidy calculations and intermediaries\xe2\x80\x99 program performance and\npromote full utilization of Housing choice Voucher funds, we recommend that the Office of\nPublic and Indian Housing:\n\n1.c.   Increase the monitoring efforts over the Net Restricted Asset Account held by PHAs.\n\n1.d.   Improve its efforts to increase the fund utilization rates for the Housing Choice Voucher\n       Program.\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the Chief Financial Officer in coordination with the\nappropriate program offices:\n\n2.a.   Deobligate $122.9 million of excess unexpended funds identified as a result of the fiscal\n       year 2008 financial statement audit.\n\n2.b.   Improve and document the quarterly contract reconciliation procedures to ensure that\n       Section 236 obligations reported are valid and can be accurately estimated and reported.\n\n\n\n\n                                                36\n\x0c2.c.   Implement regularly scheduled review and reconciliation procedures to ensure excess\n       undisbursed contract authority from Rental Assistance Payments and Rent Supplement\n       projects are timely recaptured.\n\nWith respect to HUD\xe2\x80\x99s substantial noncompliance with the Federal Financial Management\nImprovement Act, we recommend that the Chief Financial Officer:\n\n3.a.   Develop a plan to comply with OMB A-127 review requirements which results in the\n       evaluation of all HUD financial management systems within a 3 year cycle.\n\nWith respect to HUD\xe2\x80\x99s substantial noncompliance with the Anti-deficiency Act, we recommend\nthat the Chief Financial Officer in coordination with the appropriate program offices:\n\n4.a.   Establish timeframes for the conduct and completion of investigations of potential Anti-\n       deficiency Act violations as required by the FY 2003 Appropriations Act to ensure\n       investigations are conducted, completed, reported, and closed in a timely manner.\n\n4.b.   Report the three known Anti-Deficiency Act violations immediately to the President,\n       Congress, and General Accountability Office (GAO), as required by the Anti-deficiency\n       Act.\n\n\n\n         Unimplemented Recommendations from Prior Years\xe2\x80\x99 Reports\n\nNot included in the recommendations listed above are recommendations from prior years\xe2\x80\x99\nreports on the Department\xe2\x80\x99s financial statements that have not been fully implemented based on\nthe status reported in the Audit Resolution and Corrective Action Tracking System. The\nDepartment should continue to track these under the prior years\xe2\x80\x99 report numbers in accordance\nwith departmental procedures. Each of these open recommendations and its status is shown\nbelow. Where appropriate, we have updated the prior recommendations to reflect changes in\nemphasis resulting from recent work or management decisions.\n\n\nOIG Report Number 2008-FO-0003 (Fiscal Year 2007 Financial Statements)\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the Chief Financial Officer in coordination with the\nappropriate program offices:\n\n       1.a.   Deobligate $342.3 million of excess unexpended funds identified as a result of the\n              fiscal year 2007 financial statement audit. (Final Action Target Date is 10/31/08;\n              Reported in ARCATS as Recommendation 4A)\n\n       1.b.   Improve the quarterly contract reconciliation procedure currently being\n              implemented by performing periodic reviews of subsidiary ledgers to ensure that\n              Section 236 obligations reported are valid and can be more accurately estimated\n\n\n                                              37\n\x0c               and reported. (Final Action Target Date is 10/31/08; Reported in ARCATS as\n               Recommendation 4B)\n\n        1.c.   Implement a periodic review of terminated Rent Supplement and Rental\n               Assistance Payments projects to ensure changes in contract status are timely\n               identified and excess undisbursed contract authority is recaptured in a timely\n               manner. (Final Action Target Date is 10/15/08; Reported in ARCATS as\n               Recommendation 4C)\n\n\nWith respect to the significant deficiency that HUD needs to improve its budgeting and funds\ncontrol over section 8 project-based contracts, we recommend that the Assistant Secretary for\nHousing in coordination with the Chief Financial Officer and the Chief Information Officer:\n\n       2.a     Develop a long-term financial management system solution to streamline and\n               automate the overall Section 8 project-based budgeting, payment, and contract\n               management process. (Final Action Target Date is 12/31/08; Reported in\n               ARCATS as Recommendation 3A)\n\n       2.b     Consider revising current Section 8 Project-base recapture methodology to\n               include recapturing funds from expired Section 8 contracts occurring in the\n               current fiscal year. We found that HUD could have recaptured up to $580 million\n               from these expired contracts, in lieu of recapturing funds from active long-term\n               contracts. (Final Action Target Date is 10/31/08; Reported in ARCATS as\n               Recommendation 3B)\n\n\n\n\n                                                38\n\x0cAppendix C\n\nFederal Financial Management Improvement Act Noncompliance,\nResponsible Program Offices, and Recommended Remedial Actions\n\nThis Appendix provides details required under Federal Financial Management Improvement Act\n(FFMIA) reporting requirements. To meet those requirements, we performed tests of\ncompliance using the implementation guidance for FFMIA issued by OMB and GAO\xe2\x80\x99s Financial\nAudit Manual. The results of our tests disclosed that HUD\xe2\x80\x99s systems did not substantially\ncomply with the foregoing requirements. The details for our basis of reporting substantial\nnoncompliance, responsible parties, primary causes and the Department\xe2\x80\x99s intended remedial\nactions are included in the following sections.\n\nFederal Financial Management Systems Requirements\n1. HUD\xe2\x80\x99s annual assurance statement issued pursuant to Section 4 of the Financial Manager\xe2\x80\x99s\nIntegrity Act, will report two non-conforming systems9.\n\n          The organizations responsible for systems that were found not to comply with the\n          requirements of OMB Circular A-127 based on the Department\xe2\x80\x99s assessments are as\n          follows:\n\n     Responsible Office                                Number of Systems     Non-conforming Systems\n     Office of Housing                                        19                        0\n     Office of Chief Financial Officer                        14                        0\n     Office of Administration                                  2                        0\n     Office of Chief Procurement Officer                       2                        2\n     Office of Community Planning and Development              2                        0\n     Office of Public and Indian Housing                       2                        0\n     Government National Mortgage Association                  1                        0\n     Totals                                                   42                        2\n\n\n\n\n9\n    The two-nonconforming systems are: A35-HUD Procurement System and P035-Small Purchase System.\n\n\n                                                    39\n\x0c     The following section outlines the Department\xe2\x80\x99s plan to correct noncompliance with OMB\n     Circular A-127 as submitted to us as of September 30, 2008 and unedited by us.\n\n                           Office of the Chief Procurement Officer\n\n                           A35 HUD Procurement Systems (HPS)\n                            P035 Small Purchase System (SPS)\n\n  Noncompliance Issue(s)                           Tasks/Steps                              Target Dates   Completion\n                                             (including Milestones)                                          Dates\nINTERNAL CONTROLS\n                            INTERMEDIATE RESOLUTION PLAN\n\n                            1A Review transactions of the four contracting officers\n1. HUD\xe2\x80\x99s Procurement           who input records in excess of their contract authority\n                                                                                            COMPLETED      COMPLETED\n   Systems Do Not Have         and take actions as appropriate.\n   Adequate Controls for          OCPO researched the transactions in question to\n   Monitoring the                 determine if the obligations were appropriate or          12/23/2006     12/14/2006\n   Procurement Process            not.\n                                  OCPO determined that the transactions were\n                                  properly executed by contracting officers acting          3/31/2007      12/14/2006\n                                  within their authority. No further action is\n                                  necessary.\n\n                            1B   Implement system controls to ensure that contracting\n                                 officers are not able to exceed their procurement\n                                 authority.                                                 COMPLETED      COMPLETED\n                                     The OCPO will implement procurement authority\n                                     control procedures.\n\n                                    The OCPO will include validation of contracting         3/31/2007      4/25/07\n                                    officer authority as part of each Procurement\n                                    Management Review.\n                                                                                            Commencing     1/08/2007\n                            1C   Implement controls to ensure that contracting officers     1/8/2007       On-Going\n                                 are required to either input or approve all transactions\n                                 that record funds through the HUDCAPS interfaces.\n                                     The OCPO will implement procedural controls to         COMPLETED      COMPLETED\n                                     require contracting officers to validate\n                                     transactions in HPS.\n\n                            1D Modify the systems to make the contracting officer field     4/30/2007      4/25/2007\n                               mandatory.\n                                 The OPOC will implement procedures for\n                                 electronic records, which are recorded in HPS, are\n                                                                                            COMPLETED      COMPLETED\n                                 reviewed to ensure that a Contracting Officer is\n                                 identified for each record.\n                                 The OCPO will implement validation of the                  Revised to     6/20/2008\n                                 contracting officer identification as part of each         11/30/2008\n                                 Procurement Management Review. \xe2\x80\x93 See 1B                    Commencing\n                                 bullet 2 above. Validation of contracting                  1/8/2007       1/08/2007\n                                 authority is the same as implementation of task.                          On-Going\n                            NOTE: OCPO is in the process of conducting a cost\n                            benefit analysis, whose outcome will determine the best\n\n\n                                                  40\n\x0c  Noncompliance Issue(s)                            Tasks/Steps                          Target Dates   Completion\n                                              (including Milestones)                                      Dates\n                            course of action in implementing system changes or\n                            replacing systems.\n\n2. HUD Procurement          2A Ensure that system administration and security            COMPLETED      COMPLETED\n   Systems\xe2\x80\x99 Separation of      administration functions are separate.\n   Duties Controls Were             The OPCO will formally appoint separate\n   Bypassed                        individuals to act as security administrator and      4/16/2007      05/01/2007\n                                   system administrator for each OCPO system and\n                                   that the individuals will not be performing\n                                   conflicting duties.\n\n                            2B Ensure that staff is not assigned conflicting duties,\n                                                                                         COMPLETED      COMPLETED\n                               that separate functions are performed by separate\n                               individuals, and that the concept of least privilege is\n                               applied.\n                                    OCPO will determine if multiple system profiles\n                                    are actually a valid requirement on an individual\n                                    basis in HPS. The goal is to eliminate\n                                    unnecessary and redundant profiles in HPS and\n                                    that the individuals will not be performing\n                                    conflicting duties.\n                                        o The OCPO will identify users with\n                                                                                         2/15/2007      12/21/2006\n                                             multiple HPS profiles\n                                        o The OCPO will deactivate\n                                                                                         07/31/2007     07/19/2007\n                                             unnecessary/redundant profiles\n\n                            NOTE: While we can separate the duties procedurally, the\n                            separation cannot be enforced in HPS or SPS without\n                            reprogramming.\n\n                            2C Implement formal policies and procedures to               COMPLETED      COMPLETED\n                               recertify the access granted to users at least an [sic]\n                               annually.\n                                    The OCPO will develop and implement formal\n                                   procedures for granting access by using the\n                                   concept of least privilege to OCPO systems, as\n                                   well as annual user access reviews by:\n                                        o Revise system access request forms             1/31/2007      12/31/2006\n                                        o Revise process in which user requests          2/28/2007      1/31/2007\n                                            system access\n                                        o Revise procedure in which system               3/31/2007      1/31/2007\n                                            access is granted\n                                        o Develop formal procedure to enforce            06/30/2007     07/18/2007\n                                            annual user access review\n\n                            2D Create and implement routing functionality within         COMPLETED      COMPLETED\n                               the Small Purchase System to allow users to be                           8/27/2008\n                               granted access to more than one office or region.\n                                      OCPO recommends implementing the\n                                       following tasks to alleviate the routing issue.\n                                       OCPO will determine if multiple SPS system\n                                       profiles are actually a valid requirement on\n                                       an individual basis. The goal is to eliminate\n                                       all unnecessary and redundant profiles in\n                                       SPS.\n\n\n                                                 41\n\x0c  Noncompliance Issue(s)                                 Tasks/Steps                             Target Dates   Completion\n                                                   (including Milestones)                                         Dates\n                                               o   The OCPO will identify users with\n                                                   multiple SPS profiles                         2/15/2007      12/21/2006\n                                               o   The OCPO will restructure the issuing\n                                                   office hierarchy to alleviate the necessity   11/30/2007     12/14/2007\n                                                   of multiple profiles for a given user.\n\n                                  NOTE: OCPO is in the process of conducting a cost\n                                  benefit analysis, whose outcome will determine the best\n                                  course of action in implementing system changes or\n                                  replacing systems.\n\n3. HUD\xe2\x80\x99s Procurement              3A Perform a cost benefit analysis to determine whether it     COMPLETED      COMPLETED\n   Systems Do Not Contain            is more advantageous to modify or replace the\n   Sufficient Financial Data to      procurement systems to ensure compliance with Joint\n   Allow It to Effectively           Federal    Management        Improvement      Program\n   Manage and Monitor                Requirements.\n   Procurement Transactions             The OCPO will perform a cost benefit analysis to\n                                        replace the OCPO systems.                                05/31/2008     2/12/2008\n\n                                  3B   Implement functionality to ensure that there is\n                                       sufficient information within HUD\xe2\x80\x99s procurement\n                                       systems to support the primary acquisition functions of\n                                       fund certification, obligation, deobligation, payment,\n                                       and closeout.\n                                                Based on the availability of funds, OCPO will\n                                                replace its systems with COTS software to\n                                                ensure found issues with internal and security\n                                                controls are addressed.\n                                                MILESTONES \xe2\x80\x93 NOT LATER THAN\n                                                     Develop Independent Government\n                                                     Estimate\n                                                                                                 5/4/2007       05/03/2007\n                                                     Conduct Market Research\n                                                     Source Selection                            04/6/2007      04/06/2007\n                                                     Roll-out pilot of production system         TBD            No funding\n                                                                                                 TBD \xe2\x80\x93          provided for\n                                  NOTE: OCPO is in the process of conducting a cost              Waiting for    FY2008,\n                                  benefit analysis, whose outcome will determine the best        funding to     FY2009 &\n                                  course of action in implementing system changes or             become         FY2010\n                                  replacing systems.                                             available      funding are\n                                                                                                                also at risk.\nSECURITY CONTROLS\n4. The Office of the Chief        4A Obtain the training and/or resources necessary to\n   Procurement Officer Did           develop or perform compliant (1) information system\n   Not Design or Implement           categorization analyses; (2) risk assessments; (3)\n   Required Information              security plans; (4) contingency plans and tests; (5)\n   Security Controls                 monitoring processes, which include applicable Federal\n                                     Information Processing Standards Publication 200\n                                     managerial, operational, and technical information\n                                     security controls; and (6) evaluations of the managerial,\n                                     operational, and technical security controls.\n                                           OCPO will ensure that training or other resources\n                                           are obtained to develop or perform required\n                                           managerial, operational, and technical security\n                                           controls.\n\n\n                                                        42\n\x0cNoncompliance Issue(s)                         Tasks/Steps                              Target Dates    Completion\n                                         (including Milestones)                                           Dates\n                                      Update Risk Assessments\n                                      Update Security Plans\n                                                                                        12/31/2008      08/31/2007\n                                      Update Contingency Plans and tests;\n                                                                                        12/31/2008      08/31/2007\n                                                                                        12/31/2008      Test Performed\n                                      Monitoring processes, which include                               12/13/2007\n                                       applicable Federal Information Processing        Last C&A\n                                       Standards (FIPS) Publication 200                 conducted       FY2008\n                                       managerial, operational, and technical           06/30/2005.     C&A was\n                                       information security controls; and               Next C&A        completed\n                                                                                        scheduled for   on\n                                                                                        4th Qrt 2008    8/29/2008.\n                                      Evaluations of the managerial, operational, and                   Awaiting\n                                       technical security controls.                     Last C&A        signed copy\n                                                                                        conducted       from OCIO\n                                                                                        06/30/2005.     for our\n                                                                                        Next C&A        records.\n                                                                                        scheduled for\n                                                                                        4th Qrt 2008\n                         4B   Complete the corrective actions for the known open\n                              information security vulnerabilities or develop\n                              mitigation strategies if new system development is\n                              underway.\n                                    OCPO will ensure it develops mitigation\n                                    strategies for the known open information\n                                    security vulnerabilities.\n                                       Review vulnerabilities\n                                       Develop mitigation strategy\n                                                                                        11/30/2008\n                         4C   Designate a manager to assume responsibility for          11/30/2008\n                              ensuring the Office of the Chief Procurement Officer\xe2\x80\x99s\n                              compliance with federal certification and accreditation   COMPLETED\n                                                                                                        COMPLETED\n                              process requirements and to provide \xe2\x80\x9ccontinuous\n                              monitoring\xe2\x80\x9d of the office\xe2\x80\x99s information systems\n                              security.\n                                    OCPO will designate a manager responsible for\n                                    ensuring compliance with information systems\n                                    security and federal certification and\n                                    accreditation process.                              1/15/2007       03/13/2007\n                                    OCPO will work with OCIO to define roles and\n                                    responsibilities and to ensure that appropriate\n                                    resources are provided to perform required                          2/1/2007\n                                                                                        2/1/2007\n                                    monitoring and certification and accreditation.\n\n\n\n\n                                              43\n\x0cNoncompliance Issue(s)                          Tasks/Steps                             Target Dates   Completion\n                                          (including Milestones)                                         Dates\n                         4D Reevaluate the HUD Procurement System and Small             COMPLETED      COMPLETED\n                            Purchase System application systems\xe2\x80\x99 security\n                            categorization in light of OMB guidance on personally\n                            identifiable information.\n                                  OCPO will reevaluate the HUD Procurement\n                                  System and Small Purchase System application          8/31/2007      8/31/2007\n                                  systems\xe2\x80\x99 security categorization in light of OMB\n                                  guidance on personal identifiable information.\n\n                         4E   Perform a Business Impact Analysis (BCA for the\n                              procurement systems. Based on the results of the\n                                                                                                       COMPLETED\n                              impact analysis, determine what actions HUD can take\n                                                                                                       9/25/2008\n                              to limit the amount of time needed to recover from the\n                              various levels of contingencies that can occur and\n                              include the determined actions in the contingency plans\n                              for the systems.\n                                    OCPO will develop a business impact analysis\n                                    for the procurement systems and revise the\n                                    contingency plan based on the BIA.\n                                       Develop business impact analyses\n                                       Incorporate BIA into contingency plans\n                                                                                        4/30/2007\n                                                                                        9/30/2007\n                         Note: OCPO is in process of conduction a cost benefit\n                         analysis, whose outcome will determine the best course of\n                         action in implementing system changes or replacing the\n                         systems.\n\n\n\n\n                                              44\n\x0c2. Our audit disclosed significant deficiencies regarding the security over financial\ninformation. Similar conditions have also been noted in other OIG audit reports. We are\nincluding security issues as a basis for noncompliance with FFMIA because of the\ncollective effect of the issue and noncompliance with Circular A-130, Appendix 3 and the\nFederal Information Security Management Act (FISMA). The responsible office, nature of\nthe problem, and primary causes are summarized below:\n\nResponsible Office      Nature of the Problem\n\nOffice of Housing and   Reduction in FHA\xe2\x80\x99s capacity to simultaneously address various system\nCIO                     modernization initiatives and control deficiencies affected the reliability and\n                        completeness of FHA\xe2\x80\x99s financial information.\n\n                        FHA currently maintains four Multifamily and 11 Single Family systems that\n                        are administered separately from the core financial management system\n                        (FHA Subsidiary Ledger or FHASL).\n\n                        FHA\xe2\x80\x99s two primary Multifamily insurance systems were scheduled to be\n                        operational on October 1, 2008, but they were still going through user\n                        acceptance testing. The implementation date was revised to November 11,\n                        2008.\n\n                        The general control weaknesses were noted in certain FHA\xe2\x80\x99s Single\n                        Family systems as follows:\n                                Only 3 of 24 HUD employees or contractors with access to the\n                                Single Family Claims system had complete and proper\n                                background investigations.\n                                Two users of the Single Family Claims system had unauthorized\n                                access rights to read, write, and update records.\n                                Five contract developers had update access to Single Family\n                                Claims production data files.\n                                FHA neither had adequate controls over, nor reviews of, audit logs\n                                for the Single Family Claims system.\n                                FHA did not develop or implement adequate security controls over\n                                information transmitted between FHA and its numerous lenders\n                                and other business partners.\n                                FHA failed to adequately assess its compliance with mandatory\n                                system security controls.\n                                FHA did not properly ensure annual security reviews were\n                                completed by HUD employees.\n\n                        FHA has conducted an accounting risk assessment to identify short and\n                        long term deficiencies in a manual business process for handling\n                        applications for claim benefits for FHA\xe2\x80\x99s Home Equity Conversion\n                        Mortgage (HECM) program, but will continue to rely on significant\n                        review and reconciliation procedures as compensating controls until a\n                        replacement system solution can be procured and implemented. An\n                        independent examination, conducted in accordance with AICPA Statement\n                        on Auditing Standards (SAS) No. 70, Audits of Service Organizations,\n\n\n\n                                            45\n\x0cResponsible Office       Nature of the Problem\n\n                         Type I, Control Design, of the HECM notes servicing system identified\n                         over thirty specific system control deficiencies, including:\n                                  Lack of formal approval for critical system security documents\n                                  Weaknesses with system access policies and physical access\n                                  control monitoring\n                                  Inadequate system baseline documentation\n                                  Lack of formal authorization procedures for system software\n                                  changes\n                                  Segregation of duties weaknesses\n                                  Deficiencies in the Continuity of Operations Plan\n\n                         Due to deficiencies in the Generic Debt subsystem interface, FHA is unable\n                         to maintain reliable cohort level data for the financing accounts within its\n                         (FHASL) general ledger system as required by the Credit Reform Act of\n                         1990.\n\nThese conditions occurred because in addition to the efforts to address system deficiencies, the\nFHA\xe2\x80\x99s Systems Division is currently responsible for a number of other major IT related projects,\nincluding:\n        Implementing systems to handle the newly legislated Hope for Homeowners program for\n        risk-sharing of single family loans insured that became effective October 1, 2008.\n        Procurement and implementation of a new integrated insured reverse mortgage loan and\n        notes servicing system.\n        Implementing the new Real Estate Owned property management system at the various Single\n        Family Marketing and Management (M&M) contractor sites. This system will be interfaced\n        with the SAMS legacy application system.\n\nManaging such critical system initiatives simultaneously and without additional funding or staff\nresources may increase the risk of system or processing errors in the agency\xe2\x80\x99s financial data, or\nincrease the risk of unauthorized access into critical or sensitive agency systems. Such errors or\nunauthorized access could lead to misstatements in financial reporting or misappropriation of FHA\nassets.\n\n\n\n\n                                             46\n\x0cResponsible Office       Nature of the Problem\n\nOffice of Chief          Weaknesses exist in HUD\xe2\x80\x99s entity-wide security program. Specifically:\nInformation Officer\n                         In fiscal year 2008, HUD\xe2\x80\x99s program offices and system owners did not\n                         always ensure that HUD\xe2\x80\x99s inventory of automated systems was up-to-date\n                         and systems were properly categorized as required by OMB.\n\n                         System owners did not ensure that all non-major applications that are\n                         hosted outside of HUD\xe2\x80\x99s infrastructure were secure.\n\n                         HUD did not fully comply with OMB\xe2\x80\x99s privacy requirements, including\n                         the completion of privacy survey reports and privacy impact assessments\n                         for all new systems that contain personally identifiable information before\n                         placing them into development or production.\n\n                         HUD did not fully implement all technical controls specified by OMB\n                         memorandum M-06-16, which addresses information that is removed from\n                         or accessed from outside the agency.\n\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce policies and\nprocedures.\n\nOffice of Chief          The security configuration and technical control deficiencies within HUD\xe2\x80\x99s\nInformation Officer      database security controls were found in the areas of (1) passwords, (2)\n                         system patches, and (3) system configuration.\n\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce policies and\nprocedures.\n\nOffice of Chief          Control weaknesses still exist for HUD Procurement System (HPS) and\nProcurement Officer      HUD Small Purchase System (SPS), specifically:\n\n                         Both procurement systems continue to be in noncompliance with Federal\n                         financial management requirements. The Office of the Chief Procurement\n                         Officer (OCPO) has yet to complete the corrective actions for the known\n                         open information security vulnerabilities or to develop mitigation strategies if\n                         new system development is underway. The OCPO plans to replace the\n                         current acquisition systems, but it has not yet been able to secure funding to\n                         complete the planned corrective action. Consequently, OCPO has not yet\n                         implemented functionality to ensure that there is sufficient information\n                         within HUD\xe2\x80\x99s procurement systems to support the primary acquisition\n                         functions of fund certification, obligation, de-obligation, payment, and\n                         closeout.\n\nThese conditions occurred because the OCPO has not yet been able to secure funding to complete the\nplanned corrective action.\n\nOffice of Chief          Control weaknesses that could negatively affect the integrity,\nInformation Officer      confidentiality, and availability of computerized financial data still exist,\nand Office of the        specifically:\nChief Financial          Although the OCFO has obtained a listing of all users with access to\n\n\n                                              47\n\x0cResponsible Office        Nature of the Problem\n\nOfficer                   the HUDCAPS production environment, they have not yet\n                          completed an assessment to determine specifically what HUDCAPS\n                          access is granted to each contractor, or prepared a listing of all users\n                          with above read access to application data. They also have yet to\n                          initiate a request with the Office of Security and Emergency\n                          Planning staff to determine whether the contractor employees have\n                          had the appropriate background investigations or to follow up with\n                          Office of Security and Emergency Planning staff to ensure\n                          background investigations are initiated for contractor staff if\n                          required. In addition, they still need to complete actions to remove\n                          above read access privileges for all contracted system developers\n                          with unnecessary access within production databases for HUDCAPS\n                          and any other OCFO systems.\n\n                          The corrective action taken to ensure that all users of LOCCS were\n                          recertified in accordance with HUD policy was not effective since\n                          we again were able to identified LOCCS users that were not\n                          recertified by the system during fiscal year 2008.\n\n                          The OCFO assessed and accepted the risk associated with providing web\n                          users access to some of the data within the Financial Data Mart. In addition,\n                          the OCFO, in coordination with the OCIO, initiated plans to obtain and\n                          review access logs to the Financial Data Mart server, and to modify\n                          application passwords to be in compliance with HUD's password policy. The\n                          corrective actions are expected to be completed during fiscal year 2009.\n\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce policies and\nprocedures.\n\nOffice of Chief           Our review of software configuration management indicated that HUD has\nInformation Officer       not yet fully resolved the issue of obsolete and incomplete information in\n                          the configuration management plans for the HUD Procurement System\n                          and selected FHA applications.\n\n                          For fiscal year 2008, the configuration management plan for the Institution\n                          Master File (IMF) lacked information or contained outdated information.\n\nThese conditions occurred because management does not consistently enforce policies and procedures.\n\n\n\n\n                                              48\n\x0cResponsible Office        Nature of the Problem\n\nOffice of Chief           Our review of the disaster recovery plan for the contractor-operated data\nInformation Officer       center facility indicates that the listing of mission critical applications still has\n                          not yet been updated, and the appendix containing information on the disaster\n                          recovery team personnel was not current.\n\n                          In addition, the contingency planning at third party business sites is\n                          inadequate. Sixty-nine percent of 29 third party business partners surveyed,\n                          did not have any type of contingency, continuity or disaster recovery plan.\n                          While thirty-one percent of the third party business partners did have some\n                          type of plan, those plans contained only limited provisions on backup of\n                          critical information and alternative work areas. Staffs were unfamiliar or had\n                          limited knowledge of contingency planning requirements and documentation\n                          was not readily available for use in case of emergency.\n\nThese conditions occurred because management does not consistently enforce policies and procedures\nand HUD had not specified contingency planning, continuity of operations or disaster recovery\nrequirements in its agreements with third party business partners. Consequently, third party business\npartners have developed limited contingency planning policies that do not meet HUD or National\nInstitute of Standards and Technology (NIST) requirements.\n\nOffice of Chief           The physical security at the third party business sites is inadequate and\nInformation Officer       weaknesses exist at those sites. The servers at those sites were located in\n                          common areas (i.e. lunch rooms, halls), case binders with personally\n                          identifiable information were left unattended, no guard or receptionist was at\n                          the entrance, access doors were unlocked, and encryption of data residing on\n                          laptops or portable devices was not a requirement.\n\nThis condition occurred because HUD had not specified the level of security controls and included it in\nthe terms and conditions of the contract or service-level agreement with the external business partner.\nAs a result, third party business partners have developed various information technology security\ncontrols and policies that do not meet HUD or federal requirements, and therefore cannot be relied upon\nto provide adequate protection over HUD\xe2\x80\x99s sensitive data.\n\n\n\n\n                                                49\n\x0cResponsible Office        Nature of the Problem\n\nOffice of Chief           Personnel security weaknesses still exist, specifically:\nInformation Officer\n                          HUD still does not have a central repository that lists all users with access\n                          to HUD\xe2\x80\x99s general support and application systems. Consequently, HUD\n                          has no assurance that all users who have access to HUD critical and\n                          sensitive systems have had the appropriate background investigation.\n\n                          The Centralized HUD Account Management Process (CHAMP) remains\n                          incomplete and does not fully address OIG\xe2\x80\x99s concerns. Specially, we\n                          found:\n                           a. CHAMP does not contain complete and accurate data. The OCIO did\n                              not electronically migrate data from the HUD Online User\n                              Registration System (HOURS) into CHAMP. Instead, they chose to\n                              enter the legacy data manually. However, this process has not yet\n                              been completed. As of April 22, 2008, OCIO has entered user data\n                              for 37 out of 248 applications (15%) into CHAMP.\n                           b. HUD can neither compile a complete listing of all authorized users\n                              and their access privileges nor identify all the applications to which\n                              users have access because CHAMP does not have reporting\n                              capabilities.\n                           c. CHAMP does not contain a mechanism to escalate or reassign tasks\n                              that have not been completed within a specified timeframe.\n                           d. CHAMP can only handle access requests for internal users such as\n                              HUD employees and contractors, but not for external users such as\n                              Housing Authorities and trusted business partners.\n\n                          HUD has not yet completely removed greater-than-read access to sensitive\n                          systems for users who have not submitted appropriate background\n                          investigation documents or who are no longer authorized to access\n                          information resources.\n\n                          HUD had processes and procedures for removing the computer system\n                          access of retiring employees however controls over these processes needed\n                          improvement.\n\n                          HUD did not conduct a security categorization and a risk assessment for\n                          CHAMP as required by Federal Information Processing Standards (FIPS)\n                          Publications (PUB) 199 and 200. Without a security categorization and\n                          risk assessment on CHAMP, HUD cannot know the full extent of risks that\n                          the CHAMP process is vulnerable to or whether adequate levels of\n                          security controls have been put in place to protect data and applications\n                          impacted by CHAMP.\n\nThese conditions occurred because management does not consistently enforce policies and procedures.\n\n\n\n\n                                               50\n\x0cAppendix D\n\n                SCHEDULE OF QUESTIONED COSTS\n                 AND FUNDS PUT TO BETTER USE\n\n Recommendation          Ineligible 1/    Unsupported     Unreasonable or        Funds Put to\n       Number                                      2/      Unnecessary 3/        Better Use 4/\n             1.a.                                                                      $1.4B\n             2.a.                                                                   $122.9 M\n\n\n\n1/   Ineligible costs are costs charged to a HUD-financed or HUD-insured program or activity\n     that the auditor believes are not allowable by law, contract or federal, state or local\n     polices or regulations.\n\n2/   Unsupported costs are those costs charged to a HUD-financed or HUD-insured program\n     or activity where we cannot determine eligibility at the time of audit. Unsupported costs\n     require a future decision by HUD program officials. This decision, in addition to\n     obtaining supporting documentation, might involve a legal interpretation or clarification\n     of departmental policies and procedures.\n\n3/   Unnecessary/Unreasonable costs are those costs not generally recognized as ordinary,\n     prudent, relevant, and or necessary within established practices. Unreasonable costs\n     exceed the costs that would be incurred by a prudent person in conducting a competitive\n     business.\n\n4/   Recommendations that funds be put to better use are estimates of amounts that could be\n     used more efficiently if an Office of Inspector General (OIG) recommendation is\n     implemented. This includes reductions in outlays, deobligation of funds, withdrawal of\n     interest subsidy costs not incurred by implementing recommended improvements,\n     avoidance of unnecessary expenditures noted in pre-award reviews, and any other savings\n     which are specifically identified.\n\n\n\n\n                                             51\n\x0cAppendix E\n             Agency Comments\n\n\n\n\n                  52\n\x0c53\n\x0cAppendix F\n\n             OIG EVALUATION OF AGENCY COMMENTS\n\n\nWith the exception of the report\xe2\x80\x99s conclusions on HUD\xe2\x80\x99s substantial noncompliance with the\nFederal Financial Management Improvement Act of 1996 (FFMIA) and FHA\xe2\x80\x99s auditor\xe2\x80\x99s\nconclusion that FHA did not comply with the Credit Reform Act, HUD management generally\nagreed with our presentation of findings and recommendations subject to detail comments.\n\nHUD\xe2\x80\x99s management disagrees with the conclusion that HUD is still not substantially compliant\nwith FFMIA. HUD agrees that their systems processes can be more efficiently integrated to\neliminate the need for existing compensating controls, but feel the existing environment is\nsubstantially compliant and not representative of a material risk of misreporting.\n\nWe disagree with HUD\xe2\x80\x99s conclusions. FFMIA emphasizes the need for agencies to have systems\nthat are able to generate reliable, useful, and timely information for decision-making purposes\nand to ensure accountability on an ongoing basis. The deficiencies noted in HUD\xe2\x80\x99s financial\nmanagement systems are due to the current financial system being developed prior to the\nissuance of current requirements. It is also technically obsolete, has inefficient multiple batch\nprocesses, and requires labor-intensive manual reconciliations. Because of these inefficiencies,\nHUD\xe2\x80\x99s management systems are unable to routinely produce reliable, useful, and timely\nfinancial information. This weakness manifests itself by limiting HUD\xe2\x80\x99s capacity to manage with\ntimely and objective data, and thereby hampers its ability to effectively manage and oversee its\nmajor programs.\n\nIn addition, HUD is not fully compliant with one of the three indicators of compliance with\nFederal financial management requirements. HUD has significant deficiencies related to security\nover financial management information systems in accordance with FISMA and OMB Circular\nA-130 Appendix III. The Department has not met the minimum set of automated information\nresource controls relating to Entity-wide Security Program Planning and Management.\n\nHUD disagreed with the FHA auditor\xe2\x80\x99s conclusion that FHA did not comply with the Credit\nReform Act of 1990 due to FHA\xe2\x80\x99s inability to maintain accurate trial balances at the cohort level\nfor financing accounts. FHA auditor reported that:\n\n               \xe2\x80\x9cDue to deficiencies in the interface with the Generic Debt subsystem, the FHA\xe2\x80\x99s\n               core financial management system does not maintain accurate trial balance\n               account information at the cohort level for the financing accounts. Accordingly,\n               FHA may not be able to accurately calculate the re-estimated cost \xe2\x80\x9cfor a group of\n               direct loans or loan guarantees for a given credit program made in a fiscal year\xe2\x80\x9d in\n               accordance with the requirements of Statement of Federal Financial Accounting\n               Standard No 2, Accounting for Direct Loans and Loan Guarantees and the\n               Federal Credit Reform Act of 1990. These balances are adjusted manually at the\n               end of the year.\xe2\x80\x9d\n\n\n\n                                                54\n\x0cFHA\xe2\x80\x99s auditor reviewed and considered HUD\xe2\x80\x99s and FHA\xe2\x80\x99s comments and disagreed with HUD\nand FHA concerning FHA\xe2\x80\x99s noncompliance with the Credit Reform Act.\n\n\n\n\n                                          55\n\x0c"